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(54) Method and apparatus for establishing a security policy, and method and apparatus for 
supporting establishment of security policy 

(57) There are provided a method of efficiently es- 
tablishing a security policy and an apparatus for sup- 

porting preparation of a security policy. According to a 
method of establishing a security policy in six steps, a 
simple security policy draft is first prepared. The security 
policy draft is adjusted so as to match realities of an or- 
ganization, as required, thus completing a security pol- 
icy stepwise. Therefore, a security policy can be estab- 
lished in consideration of a schedule or budget of the 
organization. 
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Description 

Background of the Invention 
Field of the invention 

[0001] The present invention relates to establishment 
of a so-called security policy. More particularly, the 
present invention relates to a method and apparatus 
which enable immediate establishment of a security pol- 
icy suitable for an individual organization, as well as to 
a method and apparatus for supporting establishment 
of a security policy. 

Background Art 

[0002] In association with development of information 
technology, the importance of information security in- 
creases. Every organization takes various measures for 
protecting internal information. 

[0003] For example, a firewall is set at an interface for 
establishing connection with an external network, there- 
by preventing unauthorized intrusion of the outsider into 
an internal network of the organization, or unauthorized 
access to internal information. 

[0004] In orderto combat computer viruses or the like, 
virus detection/combat software is employed for moni- 
toring computers disposed in the organization. Through- 
out the specification, the expression "organization" sig- 
nifies an enterprise, afederal or municipal agency, a cor- 
poration such as a legally-incorporated foundation, or 
any other party or organized group. 
[0005] As mentioned above, various measures have 
hitherto been taken for ensuring information security. 
[0006] If such measures are independently or sepa- 
rately discussed or reviewed, ensuring the security level 
of the entire organization becomes difficult. 
[0007] For instance, no matter how well a firewall is 
enhanced, if third parties can freely enter the organiza- 
tion's building and have an opportunity to operate a ter- 
minal, the security level of the entire organization is con- 
siderably deteriorated. 

[0008] Even if virus detection software is used, if up- 
dating of software for opposing new viruses is neglect- 
ed, the software cannot combat newly created computer 
viruses. 

[0009] In order to enhance the information security 
level of the entire organization, there must be devised 
a method for designing and implementing information 
security of the entire organization. Such a designing and 
implementation method (or a group of designing and im- 
plementation methods) is generally called a security pol- 
icy. 

[0010] Various proposals concerning basic headings 
and contents for establishing a standard security policy 
have already been put forward as international guide- 
lines. As a matter of course, the headings and contents 
must be individually tailored to the organization. 



[0011] Therefore, there still remains anecessity for 
establishing a security policy on a per-organization ba- 
sis; security policies cannot be mass-produced. Thus, 
establishment of an individual security policy involves 

5 consumption of much time and effort. 

[0012] Further, contents of a security policy must be 
changed with elapse of time. For instance, in a case 
where a corporate organizational structure has been 
changed, usage value and risk assessment of existing 

io information must be changed correspondingly. 

[0013] A common method concerning establishment 
of a security policy and making periodic amendments to 
the security policy has not been known. For this reason, 
individual systems engineer has had to establish or 

15 amend a security policy through experience and guess 
work. As a result, establishment of or making amend- 
ments to a security policy consumes an enormous 
amount of manpower. It is assumed that amendments 
may fail to catch up with a change in the actual circum- 

20 stances (hereinafter called "reality") of an organization. 
[0014] It has often bee seen that a wide difference 
arises between a security policy and the reality of an 
organization, thereby imposing difficulty in establishing 
and sustaining enhanced information security. 

25 [0015] The present invention has been conceived in 
light of the foregoing drawbacks of the background art 
and is aimed at providing a method of efficiently estab- 
lishing a security policy, as well as an apparatus for sup- 
porting establishment of a security policy. 

30 

Summary of the Invention 

[0016] To this end, the present invention provides a 
method of establishing a security policy for a predeter- 
35 mined organization, the method comprising: 

a draft preparation step of preparing a security pol- 
icy draft; 

an analysis step of examining a difference between 
^0 the security policy draft and realities of the organi- 
zation; and 

an adjustment step of adjusting the security policy 
draft on the basis of the difference or adjusting op- 
eration rules of an actual information system be- 
43 longing to the organization on the basis of the dif- 
ference. 

[0017] By means of such a configuration, a security 
policy can be established stepwise, thereby enabling ef- 
50 ficient establishment of a security policy. 

[0018] Preferably, the draft preparation step compris- 
es: 



a preparation step of preparing inquiries to be sub- 
mitted to members of an organization; 
an inquiry step of submitting the prepared inquiries 
to the members; 

an answer acquisition step of acquiring from the 
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members answers to the inquiries; and 

a drafting step of preparing a security policy draft 

on the basis of the answers. 

[0019] By means of such a configuration, a security 
policy draft can be prepared on the basis of inquiries. 
[0020] Preferably, the preparation step involves prep- 
aration of inquiries on the basis of job specifications of 
members to be inquired. 

[0021 ] Since inquiries are prepared according to a job 
specification of an member to be inquired, inquiries can 
be submitted efficiently. 

[0022] Preferably, the answer acquisition step in- 
cludes at least one of the steps of: 

integrating the answers acquired from a single 
member from among the acquired answers and 
storing the integrated answers into storage means 
as answers of a single member to be inquired; 
re-submitting inquiries to members if contradictory 
answers are included in the answers, to thereby re- 
solve contradiction, and storing the answers into the 
storage means; and 

assigning weights to answers according to job 
specifications of the members to be inquired if con- 
tradictory answers are included in the answers, to 
thereby estimate answers and display the estimat- 
ed answers. 

[0023] Such a configuration enables integration of an- 
swers in a case where a plurality of inquirers separately 
submit inquiries to members to be inquired. 
[0024] Preferably, the analysis step comprises at 
least one of: 

a contradiction inspection step of inspecting wheth- 
er or not contradictory answers are included in the 
answers; 

a first difference detection step of inspecting a dif- 
ference between an information system virtually de- 
signed on the basis of the answers and the security 
policy by means of comparison; and 
a second difference detection step of verifying the 
virtually-designed information system by means of 
examination of a real information system and in- 
specting a difference between the verified informa- 
tion system and the security policy draft by means 
of comparison. 

[0025] Such a configuration enables finding of contra- 
diction between answers and detection of a difference 
between a real information system and a security policy. 
[0026] Preferably, the method of establishing a secu- 
rity policy further comprises a measurement step of de- 
vising measures addressing the inspected difference, in 
conjunction with the priority of the measures. 
[0027] Such a configuration enables devising of 
measures with assigned priorities. 



[0028] Preferably, the method of establishing a secu- 
rity policy further comprises a diagnosis step of diagnos- 
ing the security state of the organization, wherein a re- 
sult of diagnosis performed in the diagnosis step is sub- 
5 mitted to the organization, wherewith the organization 
can become conscious of a necessity for a security pol- 
icy. 

[0029] Such a configuration enables ascertainment of 
security status of the organization. 
w [0030] Preferably, the method of establishing a secu- 
rity policy further comprises a priority planning step of 
planning, in sequence of priority, implementation with 
priority of the security measures which have been de- 
vised, thereby embodying a budget of the organization. 
is [0031] Such a configuration enables implementation 
of security measures In a premeditated manner, thereby 
facilitating preparation of a budget. 
[0032] Preferably, the security measures comprise 

constructing a system for managing the establish- 
ing a security policy; 
introduction of a security system; 
training for compelling members respect a security 
policy; 

analysis of system logs; 
monitoring of a network; 

auditing operations on the basis of the security pol- 
icy; 
and 

reviewing the security policy. 

[0033] Since the security measures involve training of 
members as well as introduction of information security 
equipment, thereby enabling attainment of a higher de- 
gree of information security. 

[0034] Preferably, the method of establishing a secu- 
rity policy further comprises a security enhancement 
measures implementation step of implementing the se- 
curity measures in accordance with the plan. 
[0035] Such a configuration enables smooth imple- 
mentation of security measures. 
[0036] The present invention also provides a method 
of establishing a security policy comprising: 

a preparation step of preparing inquiries to be sub- 
mitted to members of an organization; 
an inquiry step of submitting the prepared inquiries 
to the members; 

an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
an establishment step of establishing a security pol- 
icy on the basis of the answers. 

[0037] By means of such a configuration, a security 
policy draft can be prepared on the basis of inquiries. 
[0038] Preferably, the preparation step involves prep- 
aration of inquiries on the basis of job specifications of 
members to be inquired. 
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[0039] Since inquiries are prepared according to a job 
specification of an member to be inquired, inquiries can 
be submitted efficiently. 

[0040] Preferably, the answer acquisition step in- 
cludes at least one of the steps of: 

integrating the answers acquired from a single 
member from among the acquired answers and 
storing the Integrated answers into storage means 
as answers of a single member to be inquired; 
re-submitting inquiries to members if contradictory 
answers are included in the answers, to thereby re- 
solve contradiction, and storing the answers into the 
storage means; 
and 

assigning weights to answers according to job 
specifications of the members to be inquired if con- 
tradictory answers are included in the answers, to 
thereby estimate answers and display the estimat- 
ed answers. 

[0041] Such a configuration enables integration of an- 
swers in a case where a plurality of inquirers separately 
submit Inquiries to members to be inquired. 
[0042] Preferably, the establishment step involves es- 
tablishment of three levels of security policies; namely, 

an executive-level security policy which describes 
the organization's concept and policy concerning in- 
formation security in conformity with global guide- 
lines; 

a corporate-level security policy which describes an 
information security system embodying the execu- 
tive-level security policy; and 
a product-level security policy which describes 
measures to implement the executive-level security 
policy with reference to the corporate- level security 
policy. 

[0043] Since three levels of security policies are es- 
tablished, a hierarchical security policy can be obtained. 
Here, the measures to implement the executive-level 
security policy with reference to the corporate-level se- 
curity policy includes operation rules for utilizing the se- 
curity policies, as well as hardware and software. 
[0044] Preferably, the corporate-level securitypolicy 
describes standards for the information security system 
of the overall organization; and standards for individual 
equipments constituting the information security system 
of the organization. 

[0045] Such a configuration clarifies a security policy 
for the entire organization and a security policy for indi- 
vidual pieces of equipment. Here, equipment is a con- 
cept including networks, hosts, and applications. 
[0046] Preferably, the product-level security policy in- 
cludes two types of product-level policies; namely, 

a first-level security policy describing settings of in- 



dividual equipments constituting the information se- 
curity system in natural language; and 
a second-level security policy describing settings of 
individual equipments constituting the information 
5 security system in specific language used in specif- 
ic equipments. 

[0047] The first-level product-level security policy en- 
ables a human to understand a security policy. The sec- 
10 ond-levei product-level security policy facilitates setting 
of individual equipment. Here, equipment includes both 
hardware and software constituting the information se- 
curity system. 

[0048] Preferably, the analysis step comprises 

15 

a contradiction inspection step of inspecting wheth- 
er or not contradictory answers are included in the 
answers; and 

a difference detection step of inspecting whether or 
20 there is a difference between an information system 
virtually designed on the basis of the answers and 
a real information system of the organization. 

[0049] Such a configuration enables efficient detec- 
ts tion of contradiction or difference. 

[0050] Preferably, the method of establishing a secu- 
rity policy further comprises a measurement step of de- 
vising measures addressing the inspected difference, in 
conjunction with the priority of the measures. 
30 [0051] Since measures are devised in conjunction 
with priorities thereof, planning for implementing infor- 
mation security is facilitated. 

[0052] The present invention also provides an appa- 
ratus of establishing a security policy comprising: 

35 

inquiry preparation means of preparing inquiries to 
be submitted to members of an organization; 
storage means for storing answers to the inquiries; 
answer archival storage means for acquiring from 
*o the members the answers to the inquiries and stor- 
ing the answers into the storage means; and 
establishment means for establishing a security 
policy on the basis of the answers stored in the stor- 
age means. 

45 

[0053] Since inquiries to besubmittedto members are 
prepared, inquiry operations are facilitated. Here, the 
expression "member" signifies any individual associat- 
ed with an information system of the organization. 

so Therefore, members include part-time employees and 
employees of affiliated corporations, as well as employ- 
ees of an organization of interest. 
[0054] Preferably, the inquiry preparation means pre- 
pares inquiries to be submitted to the members to be 

55 inquired, on the basis of job specifications of the mem- 
bers to be inquired. 

[0055] Since inquiries are prepared according to a job 
specification of an member to be inquired, inquiries can 
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be submitted efficiently. 

[0056] Preferably, the answer archival storage means 

integrates the answers acquired from a single mem- 
ber from among the acquired answers and stores 5 
the integrated answers into the storage means as 
answers of a single member to be inquired; or 
re-submits Inquiries to members If contradictory an- 
swers are Included in the answers, to thereby re- 
solve contradiction, and stores the answers into the 10 
storage means; or 

assigns weights to answers according to job spec- 
ifications of the members to be inquired if contra- 
dictory answers are included in the answers, to 
thereby estimate answers, and display the estimat- '5 
ed answers. 

[0057] Such a configuration enables integration of an- 
swers while ensuring a match among the answers in a 
case where a plurality of inquirers separately submit in- 20 
quiries to members to be inquired. 
[0058] Preferably, the establishment means estab- 
lishes three levels of security policies; namely, 

an executive-level security policy which describes & 
the organization's concept and policy concerning in- 
formation security in conformity with global guide- 
lines; 

a corporate-level security policy which describes an 
information security system embodying the execu- 30 
tive-level security policy; and 
a product-level security policy which describes 
measures to implement the executive-level security 
policy with reference to the corporate- level security 
policy. 35 

[0059] Since three levels of security policies are es- 
tablished, a hierarchical security policy can be obtained. 
Here, the measures for implementing the executive-lev- 
el security policy with reference to the corporate-level 40 
security policy include operation rules for utilizing the 
security policies, as well as hardware and software. 
[0060] Preferably, the corporate-level security policy 
describes standards for the information security system 
of the overall organization; and standards for individual 45 
equipments constituting the information security system 
of the organization. 

[0061] Such a configuration clarifies a security policy 
for the entire organization and a security policy for indi- 
vidual pieces of equipment. Here, equipment is a con- so 
cept including networks, hosts, and applications. 
[0062] Preferably, the product-level security policy in- 
cludes two types of product-level policies; namely, 

a first-level security policy describing settings of in- 55 
dividual equipments constituting the information se- 
curity system in natural language; and 
a second-level security policy describing settings of 



individual equipments constituting the information 
security system in specific language used in specif- 
ic equipments. 

[0063] The first-level product-level security policy en- 
ables a human to understand a security policy. The sec- 
ond-level product-level security policy facilitates setting 
of individual equipment. Here, equipment Includes both 
hardware and software constituting the information se- 
curity system. 

[0064] The present invention also provides a method 
of assessing the state of security of an organization, the 
method comprising: 

an inquiry preparation step of preparing inquiries to 
be submitted to members of an organization; 
an inquiry step of submitting the prepared inquiries 
to the members; 

an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
a security state assessment step of assessing the 
state of security on the basis of the answers. 

[0065] By means of such a configuration, the security 
state of an organization can be ascertained on the basis 
of answers to inquiries. 

[0066] Preferably, the inquiry preparation step in- 
volves preparation of inquiries on the basis of job spec- 
ifications of members to be inquired. 
[0067] Since inquiries are prepared according to a job 
specification of an member to be inquired, inquiries can 
be submitted efficiently. 

[0068] Preferably, the answer acquisition step in- 
volves integration of previous answers and acquired an- 
swers in a case where the answers are provided by a 
member to be inquired who has provided answers be- 
fore, and involves storage of the integrated answers into 
storage means as answers from a single member to be 
inquired. 

[0069] Such a configuration enables integration of an- 
swers while ensuring a match among the answers in a 
case where a plurality of inquirers submit separately in- 
quiries to members to be inquired. 
[0070] Preferably, the assessment of a security state 
includes assessment of security of the organization; 

average assessment of security of the other organ- 
izations included in an industry to which the organ- 
ization pertains; and 

the highest security assessment which is consid- 
ered to be attainable by organizations in the indus- 
try to which the organization pertains. 

[0071] Such a configuration enables assessment of 
an organization in comparison with similar organiza- 
tions. Further, display of a theoretical highest value as- 
sists manager to set a goal to be attained. 
[0072] Preferably, the assessment of a security state 
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includes scores assigned to the following items; namely, 

understanding and attitude concerning security; 
a security system of the organization; 
a response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 

[0073J Such a configuration enables an organization 
to ascertain assessment of information security on a 
per-item basis in respect of manager's concept. 
[0074J The present invention also provides an appa- 
ratus for assessing the state of security of an organiza- 
tion, the apparatus comprising: 

preparation means for preparing inquiries to be sub- 
mitted to members of an organization; 
storage means for storing answers to the inquiries; 
answer archival storage means for acquiring the an- 
swers to the inquiries from the members and storing 
the answers into the storage means; and 
security maturity preparation means for preparing a 
security maturity report representing the degree of 
maturity of security, on the basis of the answers 
stored in the storage means. 

[0075] Inquiries are submitted to members, and an or- 
ganization can ascertain its security on the basis of an- 
swers to the inquiries . 

[0076] Preferably, the answer archival storage means 
integrates previous answers and acquired answers in a 
case where the answers are provided by an member to 
be inquired who has provided answers before, and 
stores the integrated answers into the storage means 
as answers from a single member to be inquired. 
[0077] Such a configuration enables integration of an- 
swers while ensuring a match among the answers in a 
case where a plurality of inquirers submit separately in- 
quiries to members to be inquired. 
[0078] Preferably, the security maturity report in- 
cludes 

the degree of maturity of the organizations security; 
the average degree of maturity of security of other 
organizations included in an industry to which the 
organization pertains; and 

the highest degree of maturity of security which is 
considered to be attainable by organizations in the 
industry to which the organization pertains. 

[0079] Such a configuration enables assessment of 
an organization in comparison with other organizations 
in respect of average degree. Further, display of a the- 
oretical highest value facilitates setting of a goal to be 
attained. 

[0080] Preferably, the security maturity report in- 
cludes scores assigned to the following items; namely, 



understanding and attitude concerning security; 
a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
5 measures to improve security. 

[0081] Such a configuration enables an organization 
to ascertain assessment of information security on a 
per-item basis in respect of manager's concept. 
10 [0082] The present invention also provides an analyz- 
er for analyzing a difference between a security policy 
and an information system of an organization, compris- 
ing 
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contradiction inspection means for inspecting 
whether or not contradiction exists between individ- 
ual answers in response to inquiries submitted to 
members of the organization; and 
contradiction output means for outputting informa- 
tion about the inspected contradiction. 



[0083] Such a configuration enables ascertainment of 
contradiction included in answers. 
[0084] Preferably, the analyzer for analyzing a differ- 
25 ence between a security policy and an information sys- 
tem of an organization further comprises 



indicating means for indicating the contradiction on 
the basis of the information about contradiction; 
establishment means for virtually establishing an in- 
formation system for the organization on the basis 
of the answers produced by the matching means; 
and 

difference output means for outputting a difference 
between the configuration of the virtually-estab- 
lished information system and a security policy, by 
means of comparison. 



[0085] Such a configuration enables ascertainment of 
40 a difference between a security policy and realities of 
an organization. 

[0086] Preferably, the analyzer for analyzing a differ- 
ence between a security policy and an information sys- 
tem of an organization further comprises 

45 

real system input means for examining the informa- 
tion system of the organization and entering the 
configuration of the information system; and 
difference output means which verifies the virtually- 
established information system by reference to the 
configuration of the information system and outputs 
a difference between a security policy and the con- 
figuration of the virtually-established information 
system which has been verified, by means of com- 
55 parison. 

[0087] Such a configuration enables comparison be- 
tween an information system which has been verified by 
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means of actual examination of an information system 
and a security policy, thereby enabling accurate analy- 
sis of a difference. 

[0088] An invention according to a second embodi- 
ment will now be described. 

[0089] To solve the previously-described problem, in 
the inquiry preparation step, the inquiries are prepared 
in accordance with the line of business of the organiza- 
tion. 

[0090] Preferably, the inquiry preparation means gen- 
erates inquiries to be submitted to an interviewee in ac- 
cordance with the line of business of the organization. 
[0091] According to the present invention, the line of 
business of an organization is taken into account. 
Hence, a security policy corresponding to a line of busi- 
ness can be established. 

[0092] An invention according to a third embodiment 
will now be described. 

[0093] According to the present invention, in the draft- 
ing step, a security policy is drafted on the basis of rec- 
ommendations or regulations aimed at a specific line of 
business. 

[0094] According to the present invention, the estab- 
lishment means establishes a security policy on the ba- 
sis of items of recommendations or regulations aimed 
at a specific line of business. 

[0095] Such a configuration enables establishment of 
a security policy for items which are of greater detail than 
general-purpose global guidelines, in connection with a 
specific line of business. 

[0096] An invention according to a fourth embodiment 
will be described hereinbeiow. 

[0097] According to the present invention, in the es- 
tablishment step, a security policy is established on the 
basis of items of global guidelines of one or a plurality 
of types prescribed by a user. 

[0098] According to the present invention, the estab- 
lishment means establishes a security policy on the ba- 
sis of items of global guidelines of one or a plurality of 
types prescribed by a user. 

[0099] By means of the configuration of the invention, 
a user can select a global guidelines to be employed. 
[0100] According to the present invention, in the in- 
quiry preparation step, inquiries are generated on the 
basis of items of global guidelines of one or a plurality 
of types prescribed by a user. 

[0101] Similarly, the inquiry preparation means gen- 
erates inquiries to be submitted to interviewees, on the 
basis of items of global guidelines of one or a plurality 
of types prescribed by a user. 

[0102] By means of such a configuration, inquiries 
complying with a global guideline prescribed by the user 
are submitted, thereby enabling efficient inquiries. 
[0103] An invention according to a fifth embodiment 
will now be described. 

[0104] According to the present invention, in the es- 
tablishment step, a security policy is established on the 
basis of an indicator of rigorousness of security policy 



prescribed by the user. 

[0105] According to the present invention, the estab- 
lishment means establishes a security policy on the ba- 
sis of an indicator of rigorousness of security policy pre- 
5 scribed by the user. 

[01 06] By means of the configuration according to the 
present invention, the user can freely specify the level 
of rigorousness of security policy through use of security 
policy. 

10 [0107] According to the present invention, in the in- 
quiry preparation step, the inquiries are generated on 
the basis of an indicator of rigorousness of security pol- 
icy prescribed by the user. 

[0108] Similarly, according to the present invention, 
is the inquiry preparation means generates inquiries, on 
the basis of an indicator of rigorousness of security pol- 
icy prescribed by the user. 

[0109] By means of such a configuration, inquiries are 
generated in accordance with the level of rigorousness 

20 prescribed by the user. As will be described later, if a 
higher level of rigorousness is prescribed, the number 
of general inquiries is increased, so that inquiries con- 
cerning detailed items are generated. In contrast, if a 
lower level of rigorousness is prescribed, the number of 

25 general inquiries is reduced, and inquiries become less 
elaborate. Since inquiries according to the level of rig- 
orousness are generated, inquiries can be made more 
efficiently. 

[01 10] The present invention provides a security pol- 
30 icy rigorousness adjustment method for adjusting the 
level of rigorousness of a security policy, comprising: 

a rigorousness adjustment step of replacing the 
rules which have been determined not to match the 
35 indicator of rigorousness prescribed by a user with 
rules matching the indicator of rigorousness; and 
a merge and output step of merging the rules 
matching the indicator of rigorousness from the be- 
ginning with the rules which in the rigorousness ad- 
40 justment step have replaced the rules not matching 
the indicator and of outputting the merged rules. 

[0111] Further, the present invention provides a secu- 
rity policy rigorousness adjustment apparatus for adjust- 
45 jng the level of rigorousness of a security policy, com- 
prising: 

rigorousness adjustment means for replacing the 
rules which have been determined not to match the in- 
dicator of rigorousness prescribed by a user with rules 

so matching the indicator of rigorousness; and 

[0112] Merge and output means for merging the rules 
matching the indicator of rigorousness from the begin- 
ning with the rules which in the rigorousness adjustment 
step have replaced the rules not matching the indicator 

55 and for outputting the merged rules. 

[0113] By means of these configurations according to 
the present invention, the level of rigorousness of secu- 
rity policy can be adjusted such that a level of rigorous- 
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ness prescribed by the user is achieved. 

[01 1 4] An invention according to a sixth embodiment 

will now be described. 

[01 1 5] The present invention provides a method of es- 
tablishing a security policy of a predetermined organi- 5 
zation, comprising: 

an Inquiry preparation step of generating Inquiries 
which pertain to items required for establishing a se- 
curity policy of the organization and are to be sub- 10 
mitted to members of the organization; 
an inquiry submission step of submitting the gener- 
ated inquiries to the members; 
an answer acquisition step of acquiring from the 
members answers to the inquiries; and is 
a preparation step of preparing a security policy 
draft on the basis of the answers, wherein, in the 
establishment step, a security policy within a range 
of establishment prescribed by the user is estab- 
lished. 20 

[0116] By means of the configuration set forth, a se- 
curity policy falling within the range prescribed by the 
user is obtained. 

[0117] According to the present invention, in the in- 25 
quiry preparation step, inquiries pertaining to the range 
of establishment prescribed by the user are generated. 
[01 1 8] By means of such a configuration according to 
the present invention, only inquiries about the range pre- 
scribed by the user are generated. Hence, submission 30 
of inquiries irrelevant to the range is prevented. 
[01 1 9] The present Invention provides a security pol- 
icy establishment apparatus for establishing a security 
policy of a predetermined organization, comprising: 

35 

inquiry preparation means for generating inquiries 
which pertain to items required for establishing a se- 
curity policy of the organization and are to be sub- 
mitted to members of the organization; 
storage means for storing answers to the generated 40 
inquiries; 

answer archival storage means for acquiring an- 
swers to the generated inquiries and storing the an- 
swers into the storage means; and 
establishment means for establishing a security 45 
policy within the range of establishment prescribed 
by the user. 

[0120] By means of such a configuration, there is ob- 
tained a security policy falling within the range pre- so 
scribed by the user. 

[0121] According to the present invention, the inquiry 

preparation means generates inquiries pertaining to the 

range of establishment prescribed by the user. 

[01 22] Such a configuration enables generation of on- ss 

ly inquiries pertaining to a range prescribed by the user. 

Hence, submission of inquiries irrelevant to the range is 

prevented. 



[0123] An invention according to an seventh embod- 
iment will be described. 

[0124] The seventh embodiment describes programs 
for causing a computer to perform the operations which 
have been described thus far and a recording medium 
(hard disk drive) having the programs recorded thereon. 
Hence, operations of the programs and operation of the 
recording medium having the programs recorded ther- 
eon are identical with those of the inventions which have 
been described thus far. 

[0125] The present invention provides a computer- 
readable recording medium having recorded thereon a 
program for causing a computer to perform: 

inquiry preparation procedures for generating in- 
quiries which pertain to items required for establish- 
ing a security policy of the organization and are to 
be submitted to members of the organization; 
answer archival procedures for entering answers to 
the generated inquiries and storing the answers into 
storage means; and 

establishment procedures for establishing a secu- 
rity policy on the basis of the answers stored in the 
storage means. 

[0126] According to the present invention, in the in- 
quiry preparation procedures, inquiries to be submitted 
to interviewees are generated on the basis of job spec- 
ifications of the interviewees. 

[0127] According to the present invention, in the an- 
swer archival procedures, the answers acquired from a 
single member from among the acquired answers are 
integrated, and the integrated answers are stored into 
the storage means as answers of a single member to 
be inquired; or weights are assigned to answers accord- 
ing to job specifications of the members to be inquired 
if contradictory answers are included in the answers, to 
thereby estimate final answers and display the estimat- 
ed final answers. 

[0128] According to the present invention, in the in- 
quiry preparation procedures, inquiries to be submitted 
to the interviewees are generated on the basis of the 
line of business of the organization. 
[0129] According to the present invention, in the es- 
tablishment procedures, a security policy is established 
on the basis of items of global guidelines of one or a 
plurality of types prescribed by a user. 
[0130] According to the present invention, in the in- 
quiry preparation procedures, the inquiries are generat- 
ed on the basis of an indicator of rigorous ness of secu- 
rity policy prescribed by the user. 
[0131] According to the present invention, in the es- 
tablishment procedures, a security policy within a range 
of establishment prescribed by the user is established. 
[0132] The present invention provides a computer- 
readable recording medium having recorded thereon a 
program for causing a computer to perform: 
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inquiry preparation procedures for generating in- 
quiries which pertain to items required for evaluat- 
ing the degree of maturity of security of a predeter- 
mined organization and are to be submitted to 
members of the organization; s 
answer archival procedures for entering answers to 
the prepared inquiries and storing the answers into 
storage means; and 

security maturity preparation procedures for pre- 
paring a security maturity report representing the 
degree of maturity of security, on the basis of the 
answers stored in the storage means. 

[0133] The present invention provides a computer- 
readable recording medium having recorded thereon a 
program for causing a computer to perform: 

contradiction inspection procedures for inspecting 
whether or not contradiction exists between individ- 
ual answers submitted in response to inquiries 
which pertain to items required for ascertaining a 
difference between a security policy of the prede- 
termined organization and an information system of 
the organization and which have been submitted to 
members of a predetermined organization; and 
contradiction output procedures for outputting infor- 
mation about the inspected contradiction. 

[0134] Preferably, the recording medium further com- 
prises: 

matching procedures for matching the answers on 
the basis of the information about contradiction, 
thus producing answers free of contradiction; 
establishment procedures for virtually establishing 
the configuration of an information system of the or- 
ganization, on the basis of the answers produced 
by the matching means; and 
difference output procedures for outputting a differ- 
ence between the configuration of the virtually-es- 
tablished information system and the security poli- 
cy, obtained by means of comparison. 

[0135] The present invention provides a computer- 
readable recording medium having recorded thereon a 
program for causing a computer to perform: 

level-of-rigorousness inspection procedures for in- 
specting whether or not individual rules of the secu- 
rity policy match an indicator of rigorousness pre- 
scribed by a user; 

rigorousness adjustment procedures for replacing 
the rules which have been determined not to match 
the indicator in the level-of-rigorousness inspection 
step with rules matching the indicator of rigorous- 
ness; and 

merge and output procedures for merging the rules 
matching the indicator of rigorousness from the be- 



ginning with the rules which in the rigorousness ad- 
justment step have replaced the rules not matching 
the indicator and for outputting the merged rules. 

[0136] The inventions set forth relate to a recording 
medium. 

[0137] Next, an invention related to a program will be 
described. 

[0138] The present invention provides a program for 
causing a computer to perform: 

inquiry preparation procedures for generating in- 
quiries which pertain to items required for establish- 
ing a security policy of a predetermined organiza- 
tion and are to be submitted to members of the or- 
ganization; 

answer archival procedures for entering answers to 
the prepared inquiries and storing the answers into 
storage means; and 

establishment procedures for establishing a secu- 
rity policy on the basis of the answers stored in the 
storage means. 

[0139] According to the present Invention, in the in- 
quiry preparation procedures, inquiries to be submitted 
to interviewees are generated on the basis of job spec- 
ifications of the interviewees. 

[0140] According to the present invention, in the an- 
swer archival procedures, the answers acquired from a 
single member from among the acquired answers are 
integrated, and the integrated answers are stored into 
the storage means as answers of a single member to 
be inquired; or 

weights are assigned to answers according to job 
specifications of the members to be inquired if contra- 
dictory answers are included in the answers, to thereby 
estimate final answers and display the estimated final 
answers. 

[0141] According to the present invention, in the in- 
quiry preparation procedures, inquiries to be submitted 
to the interviewees are generated on the basis of the 
line of business of the organization. 
[0142] According to the present invention, in the es- 
tablishment procedures, a security policy is established 
on the basis of items of global guidelines of one or a 
plurality of types prescribed by a user. 
[0143] According to the present invention, in the in- 
quiry preparation procedures, the inquiries are generat- 
ed on the basis of an indicator of rigorousness of secu- 
rity policy prescribed by the user. 
[0144] According to the present invention, in the es- 
tablishment procedures, a security policy within a range 
of establishment prescribed by the user is established. 
[0145] The present invention provides a program for 
causing a computer to perform: 

inquiry preparation procedures for generating in- 
quiries which pertain to items required for evaluat- 
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ing the degree of maturity of security of a predeter- 
mined organization and are to be submitted to 
members of the organization; 
answer archival procedures for entering answers to 
the generated inquiries and storing the answers into 
storage means; and 

security maturity preparation procedures for pre- 
paring a security maturity report representing the 
degree of maturity of security, on the basis of the 
answers stored in the storage means. 

[0146] The present invention provides a program for 
causing a computer to perform: 

contradiction inspection procedures for inspecting 
whether or not contradiction exists between individ- 
ual answers in response to inquiries which pertain 
to items required for ascertaining a difference be- 
tween a security policy of the predetermined organ- 
ization and an information system of the organiza- 
tion and which have been submitted to members of 
a predetermined organization; and 
contradiction output procedures for outputting infor- 
mation about the inspected contradiction. 

[0147] According to the present invention, the pro- 
gram further comprises: 

matching procedures for matching the answers on 
the basis of the information about contradiction, 
thus producing answers free of contradiction; 
establishment procedures for virtually establishing 
the configuration of an information system of the or- 
ganization, on the basis of the answers produced 
by the matching means; and 
difference output procedures for outputting a differ- 
ence between the configuration of the virtually-es- 
tablished information system and the security poli- 
cy, obtained by means of comparison. 

[0148] The present invention provides a program for 
causing a computer to perform: 

level-of-rigorousness inspection procedures for in- 
specting whether or not individual rules of the secu- 
rity policy match an indicator of rigorousness pre- 
scribed by a user; 

rigorousness adjustment procedures for replacing 
the rules which have been determined not to match 
the indicator in the level-of-rigorousness inspection 
step with rules matching the indicator of rigorous- 
ness; and 

merge and output procedures for merging the rules 
matching the indicator of rigorousness from the be- 
ginning with the rules which in the rigorousness ad- 
justment step have replaced the rules not matching 
the indicator and for outputting the merged rules. 
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Brief Description of the Drawings 
[0149] 

FIG. 1 is a flowchart representing the principle of a 
business model according to a preferred embodi- 
ment of the present invention; 
FIG. 2 is a block diagram showing the configuration 
of an appraisal device; 

FIG. 3 is a flowchart representing preparation of an 
appraisal report; 

FIG. 4 is a block diagram showing the configuration 
of an apparatus for preparing a security policy draft; 
FIG . 5 is a flowchart showing establishment of a se- 
curity policy draft through use of a security policy 
draft establishment apparatus; 
FIG. 6 is a listing of types representing job specifi- 
cations; 

FIG. 7 is a block diagram showing the configuration 
of an analyzer; 

FIG. 8 is a block diagram showing the configuration 
of a security policy draft preparation apparatus ac- 
cording to a second embodiment of the present in- 
vention; 

FIG. 9 is a block diagram showing the configuration 
of a security policy draft preparation apparatus ac- 
cording to a third embodiment of the present inven- 
tion; 

FIG. 10 is a block diagram showing the configura- 
tion of a security policy draft preparation apparatus 
according to a fourth embodiment of the present in- 
vention; 

FIG. 11 is a block diagram showing the configura- 
tion of a security policy draft preparation apparatus 
according to a fifth embodiment of the present in- 
vention; 

FIG. 12 is a block diagram showing the configura- 
tion of a security policy rigorousness adjustment ap- 
paratus according to the fifth embodiment of the 
present invention; 

FIG. 13 is a flowchart showing operation of the se- 
curity policy rigorousness adjustment apparatus ac- 
cording to the fifth embodiment; 
FIG. 14 is a block diagram showing the configura- 
tion of a security policy draft preparation apparatus 
according to a sixth embodiment of the present in- 
vention; and 

FIG. 15 is a descriptive view showing a computer 
and a hard disk drive provided therein according to 
an seventh embodiment. 

Detailed Description of the Preferred Embodiment 

[01 50] A preferred embodiment of the present inven- 
tion will now be described hereinbelow by reference to 
the accompanying drawings. 
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First Embodiment 

[0151] There will be described a business model con- 
cerning a round of operations from establishment of a 
security policy of a certain organization to maintenance 
of the security policy. Preferably, the business model is 
implemented by a system engineer through use of a pre- 
determined expert system. 

[0152] The principle of the business model according 
to a first embodiment of the present invention will first 
be described. FIG. 1 shows a flowchart rep resenting the 
principle of such a businessmodel. As illustrated by the 
drawing, the business model according to the present 
invention is basically made up of the following six steps. 

Step 1: Assessment of security maturity 
Step 2: Preparation of a security policy draft 
Step 3: System, and inspection and analysis of the 
system 

Step 4: Coordination between a policy and rules 
Step 5: Priority Planning 

Step 6: Implementation of measures to enhance se- 
curity. 

[0153] According to the security establishment meth- 
od consisting of six steps, an interview-based security 
policy draft is first established. If necessary, the security 
policy draft is re-adjusted so as to reflect the reality of 
an organization. Since the security policy is completed 
stepwise, the security policy can be established in ac- 
cordance with the schedule or budget of an organiza- 
tion. 

[0154] Step 1 is for evaluating the current state of in- 
formation security of an organization. Through assess- 
ment of information security, the organization can ascer- 
tain the goal to be attained in respect of manager's con- 
cept. 

[01 55] Step 2 is for preparing an elementary security 
policy draft by means of submitting inquiries to members 
of the organization. The security policy draft is prepared 
by means of simple interview, and hence a security pol- 
icy can be prepared at relatively low cost. 
[0156] Step 3 is for reviewing a difference between 
the virtually constructed information system and the re- 
ality of the organization. Since the virtually constructed 
information system is prepared on the basis of mere an- 
swers to the inquiries, a difference may arise between 
the virtually constructed information system and the re- 
ality of the organization. 

[0157] Step 4 is for adjusting, in accordance with a 
difference, a security policy or rules about security prod- 
ucts which have already been introduced. 
[0158] Step 5 is for establishing a future information 
security plan, taking into consideration precedence in 
adopting means or measures. 

[0159] Step 6 Is for performing required security pro- 
tection measures according to the information security 
plan. 



[0160] Since the security policy is established step- 
wise as mentioned above, a security policy can be es- 
tablished in accordance with realities of each organiza- 
tion; that is, the budget or concept of each organization. 

5 [01 61 ] For instance, it depends on the company's way 
of thinking or budget that a security policy draft is suffi- 
cient or not. Priority planning makes a future plan spe- 
cific, and hence there will be yielded an advantage of 
easy development of a budget for the organization. 

w [01 62] The dominant steps of the business model ac- 
cording to the present embodiment reside particularly in 
steps 2 through 4. In step 2, an elementary security pol- 
icy draft is prepared. In step 3, a difference between the 
security policy draft and the realities of an organization 

15 is analyzed. In step 4, a security policy or rules for se- 
curity products which have already been Introduced are 
adjusted. So long as a business model includes at least 
steps 2 through 4, the business model enables system- 
atic establishment of a security policy. Such a business 

20 model enables an increase in productivity and quality 
relative to a conventional method based on experience 
and intuition. 

[01 63] In order to implement such stepwise establish- 
ment of a security policy, various expert systems are 
25 used in the first embodiment. 

[0164] Steps 1 through 6 will now be described indi- 
vidually, including a method of using expert systems. 

A. Step 1 : Assessment of security maturity 

30 

[0165] In this step, maturity of current information se- 
curity of an organization is objectively assessed. 
Through such an appraisal, the organization can be rat- 
ed in terms of security. More specifically, assessment of 

35 information security is performed by means of preparing 
the security maturity appraisal report. 
[01 66] In the first embodiment, security maturity is as- 
sessed on the basis of a Software Capability Maturity 
Model developed by Carnegie Mellon University in the 

40 U.S. According to this model, security maturity is quan- 
titatively assessed with regard to five headings. In other 
words, scores are assigned for each of the five head- 
ings. 

[0167] The five headings are as follows: 

45 

a: Comprehension and posture of an administrator 
regarding information security 
b: Security status of an organization 
c: Response to an unexpected disaster 
so d: Budgeting for security 

e: Measures to improve security 

[0168] Here, an unexpected disaster mean an event 
which threatens information security; for example, a 
ss wiretapping activity or faulty operation of equipment. En- 
try M c°; i.e., response to unexpected disaster, represents 
whether or not the organization can address unexpect- 
ed disaster. Entry "d"; i.e., budgeting for security, repre- 
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sents whether or not a sufficient budget is ensured for 
information security. Entry "e M ; i.e., measures to improve 
security, represents the extent to which a schedule or 
plan for security improvement is made. 
[0169] In the first embodiment, a maturity assessment s 
report is prepared with regard to the above-described 
five headings, and includes scores. By means of such 
a report, the objective estimation of manager's under- 
standing for information system security of an organiza- 
tion can be ascertained. w 
[01 70] A specific method of preparing the security ma- 
turity assessment report will now be described, 
[0171] In thefirst embodiment, inquiries are submitted 
to the organization's manager(CEO, president, etc..) 
and an maturity assessment report is prepared on the '5 
basis of answers to the Inquiries. More specifically, an 
appraisal device 10 shown in FIG. 2 performs prepara- 
tion of inquiries, collection of answers, and preparation 
of the security maturity assessment report. FIG. 3 shows 
a flowchart representing operations f or preparin g th e se- 20 
curity maturity assessment report. The flowchart shown 
in FIG. 3 shows, in more detail, processing pertaining to 
step S1 -1 shown in FIG. 1 . 

[0172] As shown In FIG. 2, the appraisal device 10 
has inquiry preparation means 12 for preparing inquiries 25 
to be submitted to managers to be inquired. 
[0173] A variety of inquiries are stored beforehand in 
the storage means 14, and the inquiry preparation 
means 12 extracts inquiries required for a member to 
be inquired, 30 
[0174] The appraisal device 10 has answer archival 
storage means 16. Answers submitted by managers In 
response to inquiries which have been prepared in the 
manner as mentioned above are supplied to the answer 
archival storage means 1 6. The answer archival storage 35 
means 1 6 preserves answers in the storage means 14. 
[0175] The first embodiment is also characterized in 
that the answer archival storage means 16 has an an- 
swer integration function. In a case where inquiries are 
submitted by a plurality of systems engineers, answers 40 
to the inquiries are collectively stored in the storage 
means 14 according to the answer integration function. 
In a case where a large number of managers are to be 
inquired, answers can be immediately acquired by 
means of a plurality of systems engineers sharing the 4s 
load of submitting inquiries to the managers through in- 
terview. In such a case, the resultant answers are accu- 
mulated ina plurality of computers . Therefore, these an- 
swers must be integrated into a single database. 
[0176J As a matter of course, the answer integration so 
function can be utilized for integrating answers submit- 
ted by a single manager to be inquired as a result of 
inquiries having been submitted to the manager and an- 
swers having been acquired from the manager on sev- 
eral occasions, for reasons that submitting inquiries to ss 
the manager and receiving answers to the inquires from 
the member could not be performed on a single occa- 
sion. 



[0177] The appraisal device 10 has security maturity 
preparation means 1 8, which prepares the security ma- 
turity report, or an assessment report about information 
security of an organization, on the basis of the group of 
answers stored in the storage means 14. 
[0178] This appraisal device 10 is a so-called expert 
system. 

[0179] There is employed the appraisal device 10 

having the function of integrating collected answers. 

Consequently, the security maturity assessment report 

can be prepared efficiently and precisely. 

[0180] By reference to the flowchart shown in FIG. 3, 

there will be described an operation for preparing the 

security maturity assessment report. 

[0181] In step S3-1, inquiries to be submitted to the 

member are prepared by the Inquiry preparation means 

12. 

[0182] In step S3-2, a systems engineer submits the 
thus-prepared inquiries to the manager. 
[0183] In step S3-3, answers to the inquiries are ac- 
quired from the manager and delivered to the answer 
archival storage means 16 of the appraisal device 10. 
As set forth, the answer archival storage means 1 6 has 
the answer integration function and sends the answers 
to the storage means 14 after having integrated them 
into a single database. 

[0184] In step S3-4, the security maturity report prep- 
aration means 1 8 prepares the security maturity assess- 
ment report including scores assigned to five respective 
headings, on the basis of the group of answers stored 
in the storage means 14. 

[0185] As mentioned above, the security maturity as- 
sessment report is prepared through use of the apprais- 
al device 10. 

Comparison between Industry Standard and Scores 
Described in Security maturity Assessment Report 

[0186] As mentioned previously, scores (points) are 
assigned to five respective headings described in the 
security maturity assessment report. 
[01 87] The first embodiment is characterized particu- 
larly in that an average of scores assigned to all the or- 
ganizations and the highest score in an industry to which 
the organization pertains are displayed along with a 
score assigned to the security maturity assessment re- 
port. Here, the expression "highest score" is the top 
score (a theoretical value) which can be attained by any 
organization belonging to the industry. 
[0188] As a result, the ranking of efforts made by the 
organization for ensuring information security in the in- 
dustry can be readily ascertained. Such a mean value 
and the maximum value in an individual industry are 
stored in the storage means 1 4 beforehand. Further, an 
average value is updated periodically. 
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Report on the Progress of Implementation of Security 
Measures 

[0189] In the first embodiment, the security maturity 
assessment report is prepared to the manager's under- 
standing for information security of an organization is 
investigated prior to establishment of a security policy. 
However, so long as the security maturity report is pre- 
pared during the course of sequential implementation of 
measures for information security, the progress of im- 
plementing measures for information security can be as- 
certained. Accordingly, a step of preparing the security 
maturity report also serves as a step of reporting the 
progress of implementation of security. 
[01 90] I n th e appraisal device 1 0 according to the first 
embodiment, all the Inquiries and corresponding an- 
swers are stored in the storage means 14. However, it 
may be the case that inquiries are stored in one storage 
means and answers are stored in another storage 
means. 

B. Step 2: Preparation of Security Policy Draft 

[0191] In this step, a simple security policy draft of an 
organization is prepared. The draft corresponds to a se- 
curity policy based on answers are submitted by mem- 
bers of the organization in response to inquiries. Since 
an actual information system of the organization has not 
yet been investigated, a security policy cannot be es- 
tablished immediately. 

[0192] Various basic headings and contents used for 
establishing a standard security policy have already 
been known as international guidelines. These guide- 
lines are hereinafter called global guidelines. In the 
present embodiment, a security policy draft is prepared 
by means of extracting principles from the global guide- 
lines and combining the thus-extracted principles, as re- 
quired. 

[0193] In the first embodiment, a security policy draft 
preparation apparatus 20 is used for preparing a secu- 
rity policy draft. FIG. 4 is a block diagram showing the 
configuration of the security policy draft preparation ap- 
paratus 20. 

[0194] As shown in FIG. 4, the security policy draft 
preparation apparatus 20 has inquiry preparation 
means 22 for preparing inquiries to be submitted to an 
member to be inquired, in accordance with job specifi- 
cations of the member to be inquired. Inquiries are 
changed in accordance with job specifications of a 
member to be inquired for acquiring useful answers, as 
determined by the inquiry preparation means 12 of the 
appraisal device 10. 

[0195] A variety of inquiries are stored beforehand in 
storage means 24 provided in the security policy draft 
preparation apparatus 20, as in the case of the storage 
means 14 shown in FIG. 2. The inquiry preparation 
means 22 extracts appropriate inquiries from the stor- 
age means 24 in accordance with job specifications of 



a member. 

[0196] The security policy draft preparation apparatus 
20 is further equipped with answer archival storage 
means 26. The answer archival storage means 26 
5 stores answers into the storage means 24, as does the 
answer archival storage means 16. Further, the answer 
archival storage means 26 has an answer integration 
function. 



[0197] An integration function includes the following 
features: 

is (1 ) A plurality of systems engineers separately con- 
duct interviews with Individual members and collect 
the resultant answers. For instance, if a plurality of 
systems engineers conduct an interview with a sin- 
gle member, the resultant answers are integrated 
20 into a single database. More specifically, a series of 
inquiries of the same type are submitted to a plural- 
ity of members, and the resultant answers are inte- 
grated into a single database. 

25 (2) There may be a case where a single inquiry is 
submitted to different members through interviews. 
In such a case, a contradiction may arise in an- 
swers. There are two measures to eliminate the 
contradiction. A first measure is a re-interview. In 
30 the event that respondents have submitted incor- 
rect answers with regard to the contradiction, it is 
thought that such a contradiction can be resolved 
by means of conducting a re-interview or inspection 
(or both). A second measure is to determine an- 
35 swers by means of assigning weights to answers in 
accordance with the types (job specifications) of the 
members. 

[01 98] In the present embodiment, the user can freely 

40 select either the first measure or the second measure. 
[0199] The security policy draft preparation apparatus 
20 has draft preparation means 28 for preparing a se- 
curity policy draft. The draft preparation means 28 pre- 
pares a security policy on the basis of the group of an- 

45 swers stored in the storage means 24. 

[0200] The security policy draft preparation apparatus 
20 is a so-called expert system, as is the appraisal de- 
vice 10. In fact, the previously-described individual 
means are preferably embodied as software which is ex- 

50 ecuted on a computer. 

[0201] By reference to a flowchart shown in FIG. 5, 
there will be described an operation for preparing a se- 
curity policy draft. FIG. 5 shows a flowchart representing 
an operation for preparing a security policy draft through 

55 use of the security policy draft preparation apparatus 20. 
[0202] In step S5-1, job specifications of members 
who are to be inquired are supplied to the inquiry prep- 
aration means 22, and inquiries are submitted to the 
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members. 

[0203] As set forth, in the first embodiment, inquiries 
to be prepared are determined in accordance with job 
specifications of the members. Consequently, appropri- 
ate inquiries to be submitted to members to be inquired 
can be prepared. 

[0204] A so-called course of inquiries is determined 
In accordance with Job specifications of a member. Ac- 
tual inquiries to be submitted in each course are 
changed in response to an answer submitted by a mem- 
ber. For example, if in response to an inquiry about use 
of VPN a member has answered that VPN is not used, 
detailed inquiries about VPN are skipped. In contrast, if 
the member has answered that VPN is used, detailed 
inquiries about VPN are submitted to the member. 
[0205] Such a control operation is implemented by uti- 
lization of, a so-called knowledge-based expert system. 
[0206] In step S5-2, the thus-prepared inquiries are 
submitted to members. 

[0207] In step S5-3, answers to the inquiries are sub- 
mitted by the members, and the answers are entered to 
the answer archival storage means 26 of the security 
policy draft preparation apparatus 20. Preferably, the 
answers are entered by the interviewers. As a matter of 
course, there may be employed a form in which individ- 
ual members answer inquiries by way of a screen of the 
policy draft preparation apparatus 20. The answer ar- 
chival storage means 26 has an answer integration 
function, as mentioned above, and integrates answers 
acquired by a plurality of interviewers into a single da- 
tabase and stores the single database into the storage 
means 24. 

[0208] In step S5-4, on the basis of the group of an- 
swers stored in the storage means 24, the draft prepa- 
ration means 28 prepares a security policy draft by com- 
bination of various principles extracted from the global 
guidelines. 

[0209] As set forth, a security policy draft is prepared 
through use of the security policy draft preparation ap- 
paratus 20. 

[0210] In the first embodiment, there are prepared 
three levels of (drafts of) security policy: that is, an ex- 
ecutive-levei security policy (draft), acorporate-level se- 
curity policy (draft), and a product-level security policy 
(draft). These three levels of security policy drafts will 
be described later in section B-5. 

B-1 : Inquiries (for an interview) 



[0211] Inquiries (often called an "interview") will be so 
described hereinbelow. 

[0212] Headings of an Interview are as follows: 



6. Other security Items 
[0213] Individual headings will now be described. 
5 (1) organization 



[0214] in connection with heading "organization" an 
interview is conducted for the outline and system of an 
"organization". From answers to the inquiries, there can 
be derived an information security administration sys- 
tem, policy principles, and analysis of vulnerability (anal- 
ysis of differences). 

[0215] Heading "organization" is followed by the fol- 
lowing sub-headings. 
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1.1 Management system 

1 .2 Employees 

1 .3 Outline of enterprise 

1 .4 Venders 

1 .5 Clients 

1 .6 Consultants 

1 .7 Outsourcing 

1 .8 Application 

1.9 Network 

1.10 Security profile 

1 .11 Business category 

1.12 Organization policy 

[0216] Inquiry headings may change according to job 
specifications. For instance, inquiry heading "host" is 
not provided for a chief executive officer. Thus, the 
present embodiment is characterized In that inquiries 
change according to job specifications. Thus, inquiries 
tailored to job specifications can be submitted to a mem- 
ber, thus enabling efficient conduct of an interview. 

(2) Network 

[0217] In connection with heading "network," inquiries 
about the outline, operation, and settings of a network 
are submitted through an interview. From answers to 
these inquiries, there can be derived the vulnerability of 
the network, a corporate-level policy pertaining to the 
network, or the like. 

[0218] Heading "network" is followed by the following 
sub-headings. 

2.1 Operation environment 

2.2 Network properties 

2.3 Authentication and identification 

2.4 Audit and logs 

2.5 Access control 

2.6 Modification procedures 

2.7 Disaster recovery 

2.8 Operation reliability 

2.9 Physical security 

2.10 Modem 

2.11 Workstation security 
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(3) Server and host 

[0219] In connection with heading "server and host," 
inquiries about the outline, operation, and settings of a 
host are submitted through an interview. From answers 
to the inquiries, there are derived the weakness of a host 
and a corporate-level policy pertaining to a host and a 
server. 

[0220] Heading "server and host" is followed by the 
following sub-headings. 

3.1 Properties of server and host 

3.2 Authentication and identification 

3.3 Audit and logs 

3.4 Access control 

3.5 Modification procedures 

3.6 Disaster recovery and back-up 

3.7 Operation reliability 

3.8 Physical security 

(4) Application and database 

[0221] In connection with heading "application and 
database," inquiries about the outline, operation, and 
settings of an application are submitted through an in- 
terview. From answers to the inquiries, there are derived 
the vulnerability of an application and a corporate-level 
policy pertaining to an application. 
[0222] Heading "application and database" is fol- 
lowed by the following sub-headings. 

4.1 Properties of application and database 

4.2 Authentication and identification 

4.3 Audit and logs 

4.4 Access control 

4.5 Modification procedures 

4.6 Disaster recovery and back-up 

4.7 Operation reliability 

4.8 Physical security 

(5) Security items of great importance 

[0223] In connection with heading "security items of 
great importance" inquiries about information usually re- 
quired for establishing a firewall are submitted through 
an interview. From answers to the inquiries, there are 
derived a corporate-level policy and a product-level pol- 
icy. 

[0224] Heading "security items of great importance" 
is followed by the following sub-headings. 

5.1 Management of firewall 

5.2 Packet filtering 

5.3 NAT (network address transfer) 

5.4 SMTP content filtering 

5.5 FTP content filtering 

5.6 HTTP content filtering 

5.7 Logs and alert 
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(6) Other security items 

[0225] In connection with heading "other security 
items" inquiries about Information usually required for 
establishing VPN are submitted through an Interview. 
From answers to the inquiries, there are derived a cor- 
porate-level policy and a product-level policy. 
[0226] Heading "other security items" Is followed by 
the following sub-headings. 

6.1 VPN properties 

6.2 VPN management 

6.3 Key delivery 

6.4 Logs and audit 

B-2 Interview style 

[0227] Contents of an interview are as set forth, and 
the interview is conducted in any of various forms, such 
as a description form or a multiple-choice. 

B-3 Interviewee 

[0228] The security policy draft preparation apparatus 
20 according to the first embodiment changes inquiries 
according to a member who is an interviewee. In short, 
inquiries are controlled according to job specifications 
of an interviewee. 

[0229] Consequently, appropriate inquiries to be sub- 
mitted to an interviewee can be prepared. 
[0230] In more detail, a so-called course of inquiries 
is determined in accordance with job specifications of a 
member. Inquiries to be submitted in each course are 
changed in response to an answer submitted by a mem- 
ber. For example, if in response to an inquiry about use 
of VPN a member has answered that VPN is not used, 
detailed inquiries about VPN are skipped. In contrast, if 
the member has answered that VPN is used, detailed 
inquiries about VPN are submitted to the member. 
[0231 ] Such a control operation is implemented by uti- 
lization of a so-called knowledge-based expert system. 
[0232] Prior to conduct of an actual interview, job 
specifications of an interviewee must be entered into the 
security policy preparation apparatus 20. More specifi- 
cally, data pertaining to the following entries are input. 

* Name 

* Department 
*Title 

Postal Code 
Address 
Country 
Phone Number 
E-mail Address 
Type 

[0233] Of these entries, entries prefixed by asterisks 
are required entries. Here, the expression "type" de- 
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notes a symbol representing a job specification. In the 
present embodiment, symbols shown in FIG. 6 are used 
for expressing a job specification. Simply put, the "type" 
denotes ajob specification. Inquiries to be submitted are 
determined on the basis of a type. A listing of types to 
be handled in the present embodiment is shown in FIG. 
6. 

[0234] Inquiries which are actually submitted to an in- 
terviewee change according to answers. Such control 
of inquiries is performed on the basis of a knowledge- 
based operation. For instance, an inquiry about an "ex- 
piration date of a password" is not submitted to mem- 
bers who have answered that no expiration is imposed 
on a password in response to an inquiry as to whether 
or not an expiration data is set for a password. In con- 
trast, an inquiry about an expiration date of a password 
may be submitted to members who have answered that 
an expiration date is set for a password. 

B-4 Information Assets to be managed 

[0235] In the first embodiment, information assets for 
which security must be ensured are classified into five 
categories; namely, network, host, application, user 
group, and others. In a case where information assets 
are entered into the security policy draft preparation ap- 
paratus 20 according to the present embodiment, data 
pertaining to the following four entries are to be input. 
Here, in a case where information assets belong to ei- 
ther category "host" or category "network," data pertain- 
ing to two additional entries ; i.e., "IP address" and "sub- 
net mask," are to be entered. 

Asset ID 
*Asset type 
•Name of asset 
Details 

Of these entries, entry "asset type" covers five types. 

A application 
H Host 
N Network 
U User group 

W Others, including URL, domain names, and file 
names 

[0236] The expression "user group" designates a log- 
ical set of users possessing a common characteristic. 
For example, users who handle, amend, analyze, and 
report accounting information are collectively called a 
"accounting group." Each user group is formed from one 
user or two or more users. The word "user" designates 
a human who uses information assets. 

B-5 Preparation of Security Policy Draft 

[0237] A security policy is established by means of en- 



tering into the security policy draft preparation appara- 
tus 20 answers to the foregoing inquiries. This device is 
a so-called expert system. By means of entry of answers 
to inquiries into a system, the system produces and out- 

s puts a security policy. Such a device which produces 
data of some kind in response to entry of answers to 
inquiries has already been known as an expert system, 
and hence Its detailed explanation is omitted. 
[0238] In the first embodiment, three levels of security 

10 policies are produced; i.e., an executive-level security 
policy, a corporate-level security policy, and a product- 
level security policy. Similarly, there are prepared three 
levels of security policy drafts corresponding to the re- 
spective security policies. 

15 

(1) Executive-level security policy 

[0239] An executive-level security policy consists of 
descriptions of the organization's "concept" and "policy" 
20 concerning security. 

[0240] An executive-level policy includes the follow- 
ing items. 
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Access Control 



[0241] An owner of information assets must manage 
and control the right to access information assets. In or- 
der to implement control of the access right, an access 
control mechanism of a control system used for preserv- 
30 ing or processing information assets must be used. Item 
"access control" describes the organization's concept 
and policy concerning control of the access right. 



Accuracy of Information 



[0242] It is extremely important to maintain the con- 
tents of information assets accurately as it is. Because 
information assets is indispensable for making business 
decisions. Item "accuracy of information" describes the 
*o organization's concept and policy concerning the guar- 
antee of accuracy of information assets content. 

Guarantee 

45 [0243] An organization must employ appropriate 
measures to ensure suitable safety of information re- 
sources or security. Item "guarantee" describes the or- 
ganization's concept and policy concerning measures 
to ensure safety. 



Accountability 



[0244] All systems must enable recording and analy- 
sis of user activities, and an individual user must have 
55 responsibility for his own acts. Item "accountability" de- 
scribes the organization's concept and policy concern- 
ing personal responsibility of an individual user. 
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Identification and Verification 

[0245] All users must be appropriately identified in ac- 
cordance with the security level of information assets. 
Items "identification and verification" used herein de- s 
scribe the organization's concept and policy concerning 
such identification. 

Emergency Response Plan 

10 

[0246] An organization must prepare a detailed plan 
and procedures for ensuring appropriate response to 
obstacle in a system and a network. Item "emergency 
response plan" describes the organization's concept 
and policy concerning a plan and procedures for re- '5 
sponse to an emergency. 

Awareness of Security 

[0247] Top executives and other employees must be- 20 
come conscious of requirements for the organization's 
information security, as well as of their personal respon- 
sibility. Item "awareness of security" describes the or- 
ganization's concept and policy concerning personal re- 
sponsibility. 25 

Categorization of Information 

[0248] Information security is for protecting informa- 
tion assets. For this reason, information assets which 30 
are objects of protection must be categorized and ap- 
propriately protected according to categories. Item "cat- 
egorization of information" describes the organization's 
concept and policy concerning information assets. 

35 

Vocational Ethics 

[0249] A user must obey the determined rule for ac- 
tion and handle information assets ethically. In the event 
a user handles information assets without ethic, breaks 40 
a law and rule, or handles information assets for his pri- 
vate benefit, the user will be subjected to sanction. In 
short, the user must be conscious that he may be sub- 
jectedto sanction. Item "vocational ethics" describes the 
organization's concept and policy concerning the rule 45 
for action a user must obey. 

Document Management 

[0250] All security systems must be appropriately re- so 
corded in documents and referred according to neces- 
sity. Item "document management" describes the organ- 
ization's concept and policy concerning documentation. 

Investigation ss 

[0251] In the event of obstacle or violation, the organ- 
ization must investigate the obstacle and violation and 



records their details in documents according to security 
policy. Item "investigation" describes the organization's 
concept and policy concerning investigation and docu- 
mentation of obstacle and violation. 

Privacy 

[0252] Information assets is to be used on the precon- 
dition that the privacy of concerned members is guaran- 
teed. Item "privacy" describes the organization's con- 
cept and policy concerning privacy. 

Risk Management 

[0253] An owner of information assets must evaluate 
potential risks and take appropriate measures to control 
and protect information. Item "risk management" de- 
scribes the organization's concept and policy concern- 
ing evaluation of risks and measures to control and pro- 
tect information. 

Verification 

[0254] An organization must periodically verify imple- 
mentation of security. Item "verification" describes the 
organization's concept and policy concerning verifica- 
tion of security. 

Asset Assessment 

[0255] An organization must analyze its information 
assets. Item "asset assessment" describes the organi- 
zation's concept and policy concerning assessment of 
assets. 

Security Management 

[0256] An organization must manages security policy 
properly and revises the security policy when amend- 
ment or improvement are necessary. Item "Security 
Management" describes the organization's concept and 
policy concerning Security management. 

(2) Corporate- level Policy 

[0257] With regard to information assets of an organ- 
ization, descriptions of the executive-level policy are ap- 
plied to a corporate-levelpolicy. The corporate-level pol- 
icy corresponds to descriptions of "operating proce- 
dures." The corporate-level policy is applied to each op- 
erating unit of the organization. Operating units are 
formed by means of dividing constituent elements of an 
information system into groups according to function. 
For example, a network, a host, and an application are 
operating units. 

[0258] The executive-level policy describes the so- 
called "constitution" (dominant principles)" whereas the 
corporate-level policy describes "laws" (rules based on 
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the dominant principle). 

[0259] The corporate-level security policy describes 
standards for the Information security system of the 
overall organization; and standards for individual equip- 
ment constituting the information security system of the 5 
organization. 

[0260] At first, the corporate- 1 eve I security policy is a 
policy concerning all operating units which constitute the 
organization. For example, regulations are described for 
each operating unit. 10 

Network 

[0261] Item "network" describes regulations concern- 
ing the entire network of the organization. is 

Host 

[0262] Item "host" describes regulations concerning 

all hosts provided in the organization. 20 

Application 

[0263] Item "application" describes regulations con- 
cerning all applications employed in the organization. 2s 
[0264] Secondary, the corporate-level security policy 
describes individual units into which the operating units 
are further sub-divided. For example, the corporate-lev- 
el security policy comprises descriptions pertaining to 
the following items. 30 

Software Management 

[0265] Item "software management" describes regu- 
lations with regard to use of software in the organization 35 
and management of software licenses. 

Dial-Up 

[0266] Item "dial-up" describes regulations with re- 40 
gard to individual dial-up and remote access servers 
employed in the organization. 

Electronic Mail 

45 

[0267] Item "electronic mail" describes regulations 
with regard to individual E-mails accounts and messag- 
es in the organization. 

Firewall Management so 

[0268] Item "firewall management" describes regula- 
tions with regard to management of individual firewalls 
used in the organization. 

55 

Cryptography 

[0269] Item "cryptography" describes regulations with 



regard to implementation of individual cryptographic 
tools used in an organization. 

Electronic Commerce 

[0270] Item "electronic commerce" describes regula- 
tions with regard to electronic transactions used in the 
organization. 

Network 

[0271] Item "network" describes regulations with re- 
gard to implementation individual networks employed in 
the organization. 

Host 

[0272] Item "host" describes regulations with regard 
to implementation of individual hosts used in the organ- 
ization. 

Application 

[0273] Item "application" describes regulations with 
regard to individual applications used in the organiza- 
tion. 

(3) Product-level Policy 

[0274] A product-level policy describes specific "op- 
erating procedure including methods" to be used for pro- 
tecting information assets and the nature of resources 
(securityproducts and operating systems) and settings 
thereof. The executive-level policy describes a policy 
and management rules, whereas the product-level pol- 
icy refers to details of hardware and software. On the 
basis of the "principles" provided by the executive-level 
policy and the "specifications" provided by the corpo- 
rate-level policy, there is provided a specific "method" 
for embodying protection of information assets. Hence, 
the product-level policy includes descriptions regarding 
implementation of specific technology. 
[0275] The product-level policy includes descriptions 
about software and hardware, as well as specific rules 
for operating software and hardware. 
[0276] For reasons of actual job performance, there 
may be a case where products to be used are changed. 
And alternate equipment may be used for reasons of 
equipment failure. Liability for such circumstances or 
product standards is left to the "principles" stipulated in 
the executive-level policy or to the "regulations" stipu- 
lated in the corporate-level policy. In other words, the 
executive-level policy or the corporate-level policy must 
sufficiently specify measures against these circum- 
stances. 

[0277] So to speak, the previously-described execu- 
tive-level policy states the principle; for example, a rule 
about a necessity for revoking an access right after com- 
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pletion of a job requiring the access right. 
[0278] The corporate-level policy states specific 
rules; for example, a rule about a necessity for control- 
ling access by means of an operating system. 
[0279J In contrast, the product-level policy stipulates 
specific means; for example, a stipulation stating that 
"Access control rule for server A is only a member who 
has an authorization greater or equal to Chief of Section 
in department B can access the Server A." 
[0280] Other example is "Administrator X controls an 
access to server A. A member who requires access to 
server A for business must request administrator X to 
issue an access right. After completion of the job, the 
member immediately requests administrator X to revoke 
the access right." 

[0281] In thepresent embodiment, there are two prod- 
uct-level policies. 

[0282] A first-level product policy describes settings 
of individual equipment constituting the information se- 
curity system in natural language, as are the executive- 
level policy and the corporate- level policy. The foregoing 
examples belong to the first-level product-level policy. 
[0283] A second-level product policy describes set- 
tings of individual equipment constituting the informa- 
tion security system in specific language used in specific 
equipment. In other words, a second-level product pol- 
icy is a script file stating settings of specific systems. 
More specifically, the second-level product-level policy 
describes a setting script file of an individual system (in- 
cluding both hardware and software). Therefore, the 
second-level product-level policy can be used for setting 
a system, in its present form. In the present embodi- 
ment, a specific script file of an individual system is pre- 
pared as a product-level security policy. Accordingly, 
there are yielded an advantage of alleviating labor re- 
quired for actually setting firewalls or routers. 
[0284] Next, there is examined and analyzed a differ- 
ence existing between the thus-prepared security policy 
draft, realities of an information system, and a method 
of operating the information system. Inspection and 
analysis to be performed are made up of the following. 
[0285] A security policy draft is prepared on the basis 
of inquiries and answers thereto. In this process, varia- 
tions or contradiction between answers may arise. 
Moreover, answers are not necessarily correct. 
[0286] For these reasons, the following operations 
are performed during inspection and analysis. 
[0287] First, answers are examined as to whether or 
not contradiction arises among a plurality of answers. 
Further, there is performed a comparison between the 
security policy draft and an information system depicted 
from answers acquired by means of interviews. A com- 
parison is made between the security policy draft and 
the actual information system which has been verified 
through inspection, thereby detecting a difference. 
[0288] An information system is actually inspected 
through use of an analyzer, which is an expert system. 
FIG. 7 is a block diagram showing the configuration of 



an analyzer 30. As can be seen from the drawing, the 
analyzer 30 has contradiction inspection means 32 for 
inspecting whether or not contradiction arises in a group 
of answers. An inspection result is supplied to contra- 
5 diction output means 40. 

[0289] The contradiction output means 40 outputs the 
inspection result to the outside in the form of an interview 
result contradiction report. 

[0290] Contents of the interview result contradiction 
10 report are supplied to matching means 41. In a case 
where a contradiction between answers is found, the 
matching means 41 performs the operation that the user 
selects from the two operations provided below. 

is (1) On the basis of job specifications of the mem- 
bers, the most probable answer is estimated and 
displayed before the user. The User can adopt the 
estimated probable answer. 
(2) An interview is conducted again with regard to 

20 a contradiction, or realities of the information sys- 
tem are actually investigated. Alternatively, both 
conduct of a re-interview and actual inspection of 
an information system are desirably performed. 

25 [0291] Matched results (i.e., answers obtained as a 
result) of the interview are supplied to a virtual informa- 
tion system establishment means 34. 
[0292] On the basis of a group of matched answers, 
the virtual information system establishment means 34 

so virtually establishes an information system for the or- 
ganization. The configuration and operation of the infor- 
mation system established by the virtual Information 
system establishment means 34 are supplied to differ- 
ence output means 38. 

35 [0293] The analyzer 30 has real system input means 
36 for entering the configuration and operation of an ac- 
tual information system of the organization. The config- 
uration and operation of a real system ent ered by way 
of the real system input means 38 are supplied to the 

40 difference output means 38. 

[0294] As mentioned above, the virtual information 
system is established on the basis of only interview re- 
sults. Therefore, so long as the virtual information sys- 
tem which has been verified through use of an actual 

45 information system is compared with a security policy 
draft, points of the actual information system which are 
to be amended can be ascertained more clearly. 
[0295] The more accurate an actual inspection con- 
ducted for the purpose of verification, the more prefer- 

50 able an inspection result. Investigation of the entire in- 
formation system consumes much time and effort and 
makes interviews meaningless. 

[0296] For these reasons, investigation of an actual 
information system is performed as a supplement to the 
55 answers obtained through the Interviews. An efficient 
way of attaining this is to verify the virtual information 
system and analyze a difference between the thus-ver- 
ified information system and the security policy. 
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[0297] For example, emphasizing investigation of a 
contradiction between answers is preferable. An alter- 
native is emphasizing investigation of an inquiry for 
which a member (i.e. .Interviewee) could not answerdue 
to forgetfulness. 

[0298] The extent to which an investigation is to be 
performed should be determined on the basis of a re- 
quired accuracy, time limit, and costs. The thus-deter- 
mined difference is output as an analysis report. 
[0299] Further, a security policy draft is supplied to the 
difference output means 38. By means of the foregoing 
configuration, the difference output means 38 performs 
the following two comparison operations, thereby de- 
tecting and outputting respective differences. 

(1) Analysis of a difference between a security pol- 
icy draft and the result of an interview. 

(2) Analysis of a difference between a security pol- 
icy and an interview result which has been verified 
by means of actual inspection. 

[0300] Through analysis of a difference stated in (1), 
a security policy draft is compared with the information 
system established by the virtual information system es- 
tablishment means 34. Both the security policy draft and 
the information system are prepared on the basis of re- 
sults (answers obtained as a result) of interviews con- 
ducted with the members. Therefore, it is possible that 
no substantial difference is found as a result of compar- 
ison. 

[0301 ] For example, it will be possible that answers to 
interviews state that "a password is unllmltedly valid". 
But, the security policy is not allowed to make a pass- 
word unlimitedly valid. Expiration of a password is a fun- 
damental requirement of the security policy. A security 
policy without such a requirement does not merit being 
called a security policy. 

[0302] Forthis reason, a difference can exist between 
a security policy draft and interview results. A detected 
difference is output as an analysis report. 
[0303] By means of this analysis report, portions of 
interview results which are to be amended in terms of 
security policy can be found. 

[0304] During analysis of a difference stated in (2), a 
security policy draft is compared with the established vir- 
tual information system which has been verified by 
means of actual inspection. 

[0305] Either comparison (1) or (2) or both may be 
performed. Preferably, if an insufficient result is obtained 
as a result of implementation of comparison (1), com- 
parison (2) is performed. 

[0306] Preferably, higher-priority portions are subject- 
ed to actual inspection, in consideration of the priority 
determined as a result of step 2 (S1-2 in Fig.1) inspec- 
tion and analysis to be described later. 
[0307] FIG. 5 shows a flowchart representing 
processing pertaining to step 2. The flowchart shows in 
more detail processing pertaining to step S1 -2 shown in 



FIG. 1. 

[0308] In step S5-5, an inspection is performed as to 
whether or not answers include only contradiction, 
through use of the contradiction inspection means 32. 

5 In step S5-6, an inspection is performed as to whether 
or not a difference exists between a security policy draft 
and interview results, through use of the difference out- 
put means 38. Here, the interview results comprise a 
virtual information system established on the basis of 

*o answers to interviews and the virtual information system 
which has been verified by means of actual inspection 
of a real information system. 

[0309] As mentioned above, according to the present 
embodiment, since the analyzer 30 shown in FIG. 7 is 
15 employed, the user can immediately become aware of 
whether or not answers include a contradiction or 
whether or not a difference exists between answers and 
a real information system. 

[0310] Here, the analyzer 30 is a so-called expert sys- 
20 tern. Further, the previously-described means are pref- 
erably implemented by software which runs on a com- 
puter. 

C. Step 3: System, and Actual Inspection and Analysis 
25 of Operation of the System 

Actual Inspection and Analysis 

[0311] Through actual inspection and analysis, a dif- 
30 ference obtained in stepS1-2(Fig.1) actual inspection 
and analysis is classified into one of three categories; 
that is, a difference in member assignment, a difference 
in operating method, and a difference in technical meas- 
ures. For each of the three types of difference, counter- 
35 measures and priority are analyzed. 

[0312] Example measures for a case where a differ- 
ence in network policies and the priority of the measures 
will be described. 

40 (1 ) Difference 1 

[0313] Type of Difference: Difference in personnel as- 
signment 

[0314] Details: The network policy states that an ad- 
45 ministrator of each network segment is to be clearly des- 
ignated. However, network segment administrators are 
not clearly designated in a real information system. 
[031 5] Measures: Administrators or owners are clear- 
ly allocated to respective network segments. 
so [0316] Priority: Immediately 

(2) Difference 2 

[0317] Type of Difference: Difference in technical 
55 measures 

[0318] Details: The network policy states that if a 
password to be used for user authentication in a network 
has not been used for a long period of time, the pass- 
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word should be deleted. However, the real information 
system has no system for deleting such a password. 
[0319] Measures: Establish a system for deleting a 
password assigned to a user account which has not 
been used for 30 days. 
[0320J Priority: High 

[0321] As mentioned above, the first embodiment fa- 
cilitates devising of measures for eliminating a differ- 
ence between answers given in interviews and the real 
information system. Accordingly, a discrepancy be- 
tween a security policy and the real information system 
is easiiy eliminated. 

D Step 4: Adjustment of Policy and Rules 

[0322] In step 3, the discrepancy between the real in- 
formation system and the security policy draft is clari- 
fied, and measures for eliminating the discrepancy and 
the priority of the measures are also made clear In step 
4, measures and actual work are examined. 
[0323] Measures are roughly classified into two cate- 
gories. 

(1) Adjust the security policy draft so as to match 
the real information system. 

(2) Adjust operation rules of the real information 
system. 

These measures will now be described in de- 
tail. 

D-1 Adjustment of Security Policy Draft 

[0324] As has been described, the security policy 
draft is called a set of global guidelines . The security 
policy draft is prepared by means of appropriate combi- 
nation of basic items and contents for establishing a 
standard security policy. Several types of global guide- 
lines have already been known. In the first embodiment, 
rules and policies are extracted from the global guide- 
lines, as required, and a security policy is drafted by use 
of the thus-extracted rules and polices in combination. 
In the drafting phase, the most rigorous global guideline 
is selected from several types of global guideline, and 
the thus-selected guideline is taken into a security policy 
draft. 

[0325] Thus, intermsof severity of a rule,global guide 
lines differ from each other according to type. For ex- 
ample, a certain global guide line defines a password 
as being valid for 60 days, whereas another global 
guideline defines a password as being valid 1 80 days. 
[0326] In the drafting phase, individual rules are de- 
fined so as to comply with the most rigorous require- 
ments. Some of organizations may consider that rules 
of a security policy draft are unacceptably rigorous. In 
such a case, the rules are preferably changed to less 
rigorous rules. 

[0327] In a case where a rule for defining a single 
password as being valid for 60 days is considered to be 



unacceptably rigorous, the duration of validation of a 
password is changed to 1 80 days after discussions with 
the organization. Thus, a rigorous rule is changed to a 
less rigorous rule. 
5 [0328] In this way, so long as the severity of each rule 
is changed in consideration of the result of comparison 
organization's intent and rigorousness of the rule, a se- 
curity policy matching a real Information system can be 
established. 

10 [0329] A security policy draft is adjusted in the manner 
as mentioned above. 

D-2 Adjustment of Rules 

is [0330] On the basis of the measures described in con- 
nection with level-2 inspection and analysis, operation 
rules of the real information system are adjusted. Ad- 
justment of rules means modifications to an operating 
method and modifications to rule settings of a security 

20 system (e.g., a firewall). 

E Step 5: Priority Planning 

[0331] Establishment of a security policy for the real 
25 information system of an organization is completed by 
step 4. 

[0332] Security measures must be sequentially per- 
formed in accordance with the thus-established security 
policy. In step 5, measures are examined in considera- 
te tion of priority and are described in a list. Preparation of 
such a list enables planning of future security measures, 
and a budget can also be examined on the basis of the 
plan. Without such a list, forecasting costs for future in- 
formation security would be difficult, thus imposing dif- 
35 ficulty in drawing up a budget. 

[0333] Security measures include training for compel- 
ling members to respect a security policy and analysis 
of system logs as well as introduction and testing of a 
security system. 
40 [0334] A security policy includes monitoring of a net- 
work, auditing of operations on the basis of a security 
policy, and review of a security policy. 
[0335] There maybe a case where a security policy 
must be modified in accordance with a change in the 
45 organization's information system or a change in the op- 
eration of an information system. For this reason, the 
security policy must be reviewed periodically. 

F Step 6 : Implementation of Security Enhancement 
50 Measures 

[0336] On the basis of the security measures list 
which has been prepared in step 5 in consideration of 
priority, security enhancement measures are actually 
55 implemented. Security enhancement measures can be 
smoothly implemented in accordance with the list and 
the security policy. 

[0337] In the first embodiment, processing from es- 
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tablishment of a security policy to maintenance thereof 
is performed in six steps. Therefore, a security policy 
can be established and implemented stepwise and can 
be implemented in consideration of organization's de- 
sires. 

Second Embodiment (Consideration of field of 
business) 

[0338] The first embodiment has described an exam- 
ple in which inquiries are changed in accordance with 
job specifications of members belonging to an organi- 
zation. However, no particular consideration is paid to 
the field of business of an organization. 
[0339] For instance, a security policy to be estab- 
lished in an organization In the financial industry differs 
from that to be established in an organization in the man- 
ufacturing industry. 

[0340] For this reason, in the second embodiment, es- 
tablishment of a security policy in consideration of the 
field of business of an organization is put forward. 
[0341 ] The security policy draft preparation apparatus 
20 shown in Fig. 4 changes inquiries in accordance with 
Job specifications of a member. In addition to changes 
in inquiries, in the second embodiment there will be de- 
scribed a case In which inquiries are changed in accord- 
ance with the field of business of an organization. 
[0342] FIG. 9 is a block diagram showing the config- 
uration of a security policy draft establishment device 
120 according to a second embodiment of the present 
invention. 

[0343] The security policy draft establishment device 
1 20 is substantially identical with the security policy draft 
establishment device 20 shown in Fig. 4. 
[0344] One of differences between the security policy 
draft establishment devices 20 and 120 lies in that the 
security policy draft establishment device 120 has in- 
quiry preparation means 122 for preparing inquiries on 
the basis of the field of business of an organization to 
which members to be interviewed belong. 
[0345] Inquiries which vary according to field of busi- 
ness are stored in storage means 124 beforehand. On 
the basis of an entered field of business, the inquiry 
preparation means 122 reads from the storage means 
124 inquiries corresponding to the field of business. 
[0346] Answer archival storage means 126 operates 
in substantially the same manner as does the answer 
archival storage means 26 shown in FIG. 4. 
[0347] This configuration enables establishment of a 
more elaborate security policy by means of preparing 
inquiries corresponding to the field of business of the 
organization. 

[0348] For instance, an inquiry stating "How is a de- 
positor list managed?" is to be prepared for an organi- 
zation pertaining to the financial industry. However, gen- 
eration of this inquiry for an organization belonging to 
the manufacturing industry is meaningless. Conversely, 
an inquiry stating "How is progression data pertaining 



to each manufacturing lot managed?" is to be prepared 
for an organization belonging to the manufacturing in- 
dustry. However, generation of this inquiry for an organ- 
ization belonging to the financial industry is meaning- 
5 less. 

[0349] Consequently, in the second embodiment, in- 
quiries are changed according to the field of business 
of an organization, and more detailed inquiries can be 
made, so that details of an organization's information 

10 system (including operation and management of the 
system) can be ascertained more thoroughly. 
[0350] Here, a change in inquiries means a change in 
a course of inquiries, as in the case of job specifications. 
More specifically, a course including inquiries aimed at 

is the financial industry is applied to an organization be- 
longing to the financial Industry. Further, a menu Includ- 
ing inquiries aimed at the manufacturing industry is ap- 
plied to an organization belonging to the manufacturing 
industry. In each course, the next inquiry to be submitted 

20 is changed in accordance with the answer submitted by 
a member in response to the preceding inquiry, as in the 
case of the first embodiment. 

[0351] A draft preparation means 128 shown in FIG. 
9 is essentially Identical with the draft preparation 

25 means 2B shown in FIG. 4. On the basis of answers re- 
sponding to more detailed inquiries prepared by the in- 
quiry preparation means 122, the draft preparation 
means 128 prepares a security policy draft. Conse- 
quently, as mentioned previously, a more detailed secu- 

30 rity policy draft can be prepared. 

[0352] Operation required for preparing a security pol- 
icy draft according to the second embodiment is sub- 
stantially identical with that described in the flowchart 
shown in FIG. 5. 

35 [0353] A difference between the operation employed 
in the second embodiment and that described in con- 
nection with the first embodiment lies in that in step S5-1 
the field of business of an organization is supplied to the 
inquiry preparation means 122, as in the case of job 

40 specifications of a member. As a result, the inquiry prep- 
aration means 122 can prepare appropriate inquiries on 
the basis of the job specifications of members and the 
field of business of an organization. 
[0354] In the second embodiment, inquiries are pre- 

45 pared in consideration of the field of business of an or- 
ganization. Hence, an organization' s information secu- 
rity system can be ascertained in more detail through 
an interview. Consequently, establishment of a more de- 
tailed security policy becomes feasible. 

so [0355] Although the above description has described 
an example in which inquiries are changed according to 
the field of business of an organization, inquiries may 
be changed according to the scale of an organization. 
[0356] In the above description, a change in the 

?5 course of inquiries has been taken as an example 
change in inquiries. However, methods of other types 
can be employed. For instance, it is desirable to have 
determined a basic framework of inquiry statements in 
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advance and to change terms in the inquiry statements 
In compliance with the field of business of an organiza- 
tion. More specifically, there is a conceivable method in 
which, although "president" is used in inquiry state- 
ments aimed at general corporations, the term "presi- 
dent" is switched to "bank president" in the case of an 
inquiry statement being made to a bank. 

Third Embodiment (consideration of recommendations 
and regulations in a specific industry) 

[0357] In the example described in connection with 
the first embodiment, a security policy is established on 
the basis of global guidelines (step S5-4). In many cas- 
es, global guidelines are prepared in consideration of a 
specific objective. However, the global guidelines are 
generally constructed so that they may be used for gen- 
eral purpose. 

[0358] In contrast to these general-purpose global 
guidelines, recommendations and regulations within a 
specific industry are known. In contrast with global 
guidelines, the recommendations and regulations clear- 
ly state that they are aimed at a specific industry. There 
are many cases where recommendations and regula- 
tions refer to information security, and utilization of rec- 
ommendations and regulations during establishment of 
a security policy as in the case of global guidelines is 
desirable. 

[0359] For example, Japanese FISC (The Center for 
Financial Industry Information Systems) lays down safe- 
ty provisions and prevalence of a security policy for en- 
suring security. FISC publishes a journal titled "Safety 
Provision Standards for Computer Systems in Financial 
Institutions." 

[0360] In a third(this) embodiment, when a security 
policy aimed at the financial industry is established, 
there is proposed establishment of a security policy on 
the basis of "Safety Provision Standards for Computer 
Systems in Financial Institutions" as well as on the basis 
of global guidelines. As a result, in the field of a specific 
industry, a security policy for the industry is established 
on the basis of recommendations and regulations fo- 
cused on the industry. Hence, establishment of a more 
elaborate security policy becomes feasible. 
[0361 ] The security policy draft preparation apparatus 
which utilizes recommendations and regulations aimed 
at a specific industry shown in Fig. 9 in connection with 
the third embodiment. FIG. 9 is a block diagram showing 
the configuration of a security policy draft preparation 
apparatus 220 according to the third embodiment. As 
illustrated, the security policy draft preparation appara- 
tus 220 is substantially identical in configuration with the 
security policy draft preparation apparatus 120 shown 
in FIG. 8. The difference between them lies in that infor- 
mation concerning the field of business of an organiza- 
tion is supplied to draft preparation means 228 as well 
as to inquiry preparation means 222. On the basis of the 
field of business of an organization, the draft preparation 



means 228 selects global guidelines to be used for pre- 
paring a security policy draft. The number of global 
guidelines to be selected is not limited to one; there may 
be a case where two or more global guidelines may be 
5 selected. Furthermore, the construction shown in FIG. 9 
has features as follows. 

[0362] First, a point of novelty of the third embodiment 
lies in that recommendations and regulations which are 
aimed at a specific industry and are to be displayed be- 

10 fore the users. The users can select any recommenda- 
tions and regulations on the basis of the industry of an 
organization. For example, in the field of the financial 
industry, preparation of a security policy (draft) utilizing 
recommendations and regulations aimed at the financial 

is industry becomes feasible through the foregoing oper- 
ations. 

[0363] Second, information concerning recommen- 
dations and regulations aimed at a specific industry is 
stored in a storage means 224 in the same manner as 

20 js information concerning global guidelines. By means 
of the thus-stored information, the inquiry preparation 
means 222 can prepare inquiries in compliance with the 
recommendations and regulations established for the 
industry to which an organization pertains. In accord- 

25 ance with the thus-stored Information, the draft prepa- 
ration means 228 enables establishment of a security 
policy on the basis of the recommendations and regu- 
lations established for the industry to which an organi- 
zation pertains. 

30 [0364] Operation required for preparing a security pol- 
icy draft according to the third embodiment is essentially 
Identical with that described in connection with the flow- 
chart shown in FIG. 5. Differences are as follows: 

35 First, in step S5-1 the field of business of an organ- 
ization is supplied to the inquiry preparation means 
222, and inquiries complying with the recommen- 
dations and regulations aimed at the industry to 
which an organization pertains are prepared. If the 

40 user didn't select the such recommendations or reg- 
ulations displayed, then inquiries are prepared on 
the basis of global guidelines, as in the case of the 
first through second embodiments. And, if such rec- 
ommendations or regulations are not present, in- 

45 quiries are prepared on the basis of global guide- 
lines, as in the case of the first through second em- 
bodiments, too. 

Second, in step S5-4 the field of business of an or- 
ganization is supplied also to the draft preparation 

so means 228. The draft preparation means 228 pre- 
pares a security policy draft in compliance with the 
recommendations and regulations aimed at the in- 
dustry to which the organization pertains. If the user 
didn't select such recommendations or regulations 

55 displayed, a security policy draft is prepared on the 
basis of global guidelines, as in the case of the first 
through sedond embodiments. And, if such recom- 
mendations or regulations are not present, a secu- 
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rity policy draft is prepared on the basis of global 
guidelines , as in the case of the first through sec- 
ond embodiments, too. 

[0365] For example, an inquiry stating "Do you have s 
personnel responsible for a trunk network?" is prepared 
in accordance with global guidelines. However, particu- 
larly In the case of the financial Industry, an inquiry stat- 
ing "Do you have personnel responsible foran ATM (au- 
tomatic teller machine) network" is prepared in accord- io 
ance with the "Safety Provision Standards for Computer 
Systems in Financial Institutions" set forth. 
[0366] Such an inquiry is prepared by means of the 
technique of "changing an inquiry according to field of 
business" mentioned in connection with the second em- 15 
bodlment. For example, If the field of business of an or- 
ganization is the financial industry, an inquiry complying 
with the "Safety Provision Standards for Computer Sys- 
tems in Financial Institutions" is prepared and used for 
an interview. An expert system which prepares such an 20 
inquiry can be configured, by means of utilizing knowl- 
edge-based information including information about the 
"Safety Provision Standards for Computer Systems in 
Financial Institutions 

[0367] Establishment of a security policy by use of 25 
such a technique enables establishment of a more elab- 
orate security policy. 

Overlap between Items 

30 

[0368] In connection with items which do not appear 
in global guidelines and appear in only the recommen- 
dations and regulations aimedat a specific industry, it 
goes without saying that a security policy is established 
on the basis of the recommendations and regulations. 35 
[0369] Conversely, in connection with items which ap- 
pear in only global guidelines and not in the recommen- 
dations and regulations aimed at a specific industry, a 
security policy is established on the basis of global 
guidelines, as in the case of the first embodiment. 40 
[0370] Further, in connection with items which appear 
in global guidelines and in the recommendations and 
regulations aimed at a specific industry, establishment 
of a security policy on the basis of the recommendations 
and regulations is desirable. 45 



there are many cases where establishment of a security 
policy on the basis of this specific global guideline (e.g., 
COBIT) is desirable. 

[0373] In the fourth embodiment, there is proposed 
construction of a global guideline to be utilized in estab- 
lishing a security policy such that a user can designate 
the global guideline explicitly. 

[0374] Fig. 1 0 is a block diagram showing the config- 
uration of a security policy draft preparation apparatus 
320 according to the fourth embodiment. As illustrated, 
information concerning the global guideline designated 
by the user is supplied to an inquiry preparation means 
322 and to a draft preparation means 328. 
[0375] The inquiry preparation means 322 prepares 
an inquiry (or inquiries) on the basis of job specifications 
of a member. In the fourth embodiment, during prepa- 
ration of inquiries the inquiry preparation means 322 
prepares inquiries complying with the global guideline 
designated by a user. 

[0376] The draft preparation means 328 prepares a 
security policy draft on the basis of the global guideline 
prescribed by the user. 

[0377] Operation required for preparing a security pol- 
icy draft according to the fourth embodiment Is substan- 
tially identical with that shown in FIG. 5 exclusive of the 
following points of difference. 

[0378] A first difference lies in that in step S501 an 
inquiry complying with the global guideline prescribed 
by the user is prepared. 

[0379] A second difference lies in that in step S5-4 a 
security policy draft complying with the global guideline 
prescribed by the user Is prepared. 
[0380] In the fourth embodiment, a global guideline to 
be used for establishing a security policy can be select- 
ed. Inquiries are prepared in compliance with the global 
guideline selected by the user, and a security policy draft 
is prepared on the basis of answers to the inquiries. 
Consequently, establishment of a security policy com- 
plying with the global guideline desired by the user be- 
comes feasible. 

[0381 ] For example, if a user has selected BS7799 to 
be described later, a security policy complying with (or 
to comply with) BS7788 can be established. 

Global Guidelines 



Fourth Embodiment (designation of global guidelines by 
user) " * * 

[0371] Establishment of a security policy based on 
global guidelines or recommendations and regulations 
aimed at a specific industry has been described thus far. 
[0372] It is considered that a user may desire to es- 
tablish a security policy on the basis of a certain global 
guideline. For example, in a certain nation (e.g., the U. 
S.), a specific global guideline (e.g., COBIT) has already 
been utilized as a defacto standard global guideline 
(COBIT will be described later). Against this backdrop, 



[0382] Examples of widely known global guidelines 
are provided below. 



(1)BS7799 

BS7799 was established by the BSI (British 
Standards Institution) in 1995. BS7799 prescribes 
fundamental management items (control) which 
summarize best practices in connection with infor- 
mation security. 

When information assets must be protected re- 
gardless of the scale of an organization, in connec- 
tion with an administration, an NGO(Non Govem- 
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mental Organization), or an NPO(Non Profit Organ- 
ization), to say nothing of an industry, standards of 
BS7799 are to be used as a code and reference of 
one type when the range of information security is 
clarified. 5 

Hence, the standards of BS7799 have the 
same objective as that of ISO/I EC 13335 "IT secu- 
rity management guidelines (GMITS)" or that of 
ISO/I EC 15408 "IT security evaluation standards," 
which will be mentioned later. BS7799 differs from 10 
the global guidelines in the following two points. 

First, other regulations specify details of secu- 
rity techniques while IT is taken as an object. In con- 
trast, BS7799 provides comprehensive guides and 
references pertaining to a management system, is 
Second, the object of BS7799 is not limited to an 
electronic medium. Various information assets, 
such as paper mediums, are taken as objectives of 
security. 

Recently, BS7799 has gained international at- 20 
tention. As a matter of course, detailed individual 
control of information security is important. The rea- 
son for this is attributable to the following percep- 
tion. As can be seen in requirements for system 
standards laid out in ISO 9000, a perception that a 25 
system for creating a management plan (through 
analysis of risk), monitoring distribution and man- 
agement of required resources, and objectively re- 
viewing the plan is effective for information security 
management is said to have become widespread. 30 

BS7799 is constituted of two parts; that is, a first 
part relating to standards for implementing Informa- 
tion security management, and a second part relat- 
ing to specifications of an information security sys- 
tem. The first part describes best practices and pro- 35 
vides guidelines for providing management advice. 
The second part describes development of a man- 
agement framework and references for "system au- 
dit." The first part (BS7799-1) is now adopted by 
ISO as IS0 17799. *<> 
(2) GASSP (Generally Accepted System Security 
Principles) is intended for promoting good practice 
and alleviating risk and influence of risk. GASSP 
employs an information security policy laid down by 
OECD in the form of a hierarchical model and ex- *5 
tends details of the policy. 

A policy which is in the highest hierarchical lev- 
el and serves as a basic policy is called pervasive 
principles and posts a target security concept. 

The policy of the next hierarchical level is called so 
broad function principles and states specific imple- 
mentation of the pervasive principles. 

The policy of the next lower hierarchical level 
is called detailed principles and describes detailed 
security guidelines corresponding to an environ- ss 
ment. 

The policies describe management of privacy 
of an individual and that of an organization, as well 



as guidelines relating to management and prod- 
ucts. 

(3) GMITS 

GMITS (The Guidelines for the Management of 
IT Security) is prepared by ISO (International Or- 
ganization for Standardization). The GMITS is in- 
tended for setting standards pertaining to operation, 
management, and planning of the security of infor- 
mation technology. 

GMITS consists of five parts: 

Part 1 : Concepts and models for IT Security 

A general description of information secu- 
rity is provided in Part 1 . 
Part 2: Managing and Planning IT Security 

Part 2 describes an operation analogous to 
a security life cycle. 

Part 3: Techniques for the Management of IT 
Security 

Part 3 describes details of the descriptions 
provided in Part 2. 
Part 4: Selection of Safeguard 

Part 4 describes the selection of security 
measures on the basis of the security rules. 
Part5: Management Guidance on Network Se- 
curity 

Part 5 is draft version such as preliminary 
revision, as far as now. 

(4) ISO/I EC 15408 is a "Collection of Requirements" 
into which are compiled requirements pertaining to 
a security function which products or a system using 
information technology is to have (i.e., functional re- 
quirements) and requirements for seeking ascer- 
tainment of reliable implementation of a security 
function during the process of proceeding from the 
design phase to commercialization of a product 
(guarantee requirements). 

(5) COBIT 

COBIT (Control Objectives for Information and 
Related Technology) shows good practices of se- 
curity suitable for a framework of a process extend- 
ing over a plurality of fields and provides a manage- 
able logical structure. The good practices are pre- 
pared on the basis of the consent of many experts. 
COBIT is a global guideline designed for serving in 
resolving a business risk or a gap between the ne- 
cessity of control and a technical problem. 

(6) EU Instructions 

Here, EU instructions are of ficially known as 
"Instructions issued by the European Parliament 
and Board with regard to protection of an individual 
in connection with personal data processing and to 
free transfer of personal data." The EU instructions 
specify general rules concerning the legitimacy of 
personal data processing. More specifically, the EU 
instructions specify the principle of data quality, a 
principle on grounds for legitimacy of data process- 
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ing, information to be given to a person whose per- 
sonal data are to be processed, and the right of the 
person to access his/her own data. 



5-A Establishment of Security Policy for which 
Rigorousness has been designated 



Fifth Embodiment (designation of rigorousness) 

[0383] In the embodiments which have been de- 
scribed thus far, the rigorousness of a security policy 
has been adjusted manually, namely by user's operation 
in step S1 -4 shown in FIG. 1 . 

[0384] However, when the rigorousness of a desired 
security policy has been determined beforehand, it is 
desirable to reflect the desired rigorousness on a secu- 
rity policy from the phase of preparation of security pol- 
icy draft in step S1-2. 

[0385] In step S4-1 shown In FIG. 1 , the rigorousness 
of each rule has been artificially adjusted. However, if a 
user can define an indicator of rigorousness, specify the 
rigorousness of a security policy using the indicator, and 
automatically adjust the rigorousness of each rule on the 
basis of the thus-prescribed rigorousness, convenience 
will be afforded to the user. 

[0386] The fifth embodiment is characterized in that 
the user can objectively specify the rigorousness of a 
security policy in steps S1-2 or S1-4 shown in FIG. 1 . 
[0387] In order to implement designation by the user 
of rigorousness of a security policy, in the sixth embod- 
iment five types of indicators representing the rigorous- 
ness of a security policy are defined. The indicators are 
arranged in descending order of rigorousness. The 
"highest level" indicator has the highest level of rigor- 
ousness, and an "educational Institution level" has the 
lowest level of rigorousness. 

(1) Highest Level: representing the level of security 
rigorousness considered to be required by a gov- 
ernment or a military organization; 

(2) Financial Level; representing the level of secu- 
rity rigorousness considered to be required by a fi- 
nancial institution; 

(3) International Level: representing the level of se- 
curity rigorousness considered to be required by in- 
ternational enterprises; 

(4) General Level: representing the level of security 
rigorousness considered to be required by domes- 
tic enterprises; 

(5) Educational Institution Level: representing the 
level of rigorousness considered to be required by 
an educational institution. 

[0388] Here, examples of five levels of security rigor- 
ousness are illustrated. As a matter of course, three lev- 
els of security rigorousness; namely, a highest level of 
security rigorousness, a medium level of security rigor- 
ousness, and a lowest level of security rigorousness, 
may be adopted. 



[0389] Utilization of indicators of rigorousness of a se- 
s curity policy in step S1-2 (FIG. 1 ) will now be described. 
When preparing a security policy draft in step S1 -2 (FIG. 
1 ), the user selects a desired security rigorousness from 
the above-described five levels of security rigorousness 
and instructs the selected level of security rigorousness 
10 to the draft preparation apparatus 20. 

[0390] By means of the indicator of rigorousness, the 
user extracts from global guidelines a regulation having 
a desired rigorousness, thereby enabling preparation of 
a security policy draft of rigorousness desired by the us- 
'5 er. Many of the global guidelines include indicators rep- 
resenting the rigorousness of a security policy. Hence, 
preparation of a security policy draft of desired rigorous- 
ness is feasible. 

[0391] Extraction operation is to incorporate knowl- 

20 edge concerning the rigorousness of each global guide- 
line into knowledge-based information, and to extract an 
appropriate rule from global guidelines on the basis of 
an indicator prescribed by the user by utilization of the 
knowledge-based information. Knowledge about rigor- 

25 ousness of each of global guidelines is knowledge pro- 
duced by linking the five levels of security rigorousness 
with regulations corresponding to the indicators of rig- 
orousness. Through use of such knowledge, regulations 
corresponding to a given indicator of rigorousness can 

30 be selected from the global guidelines. 

[0392] FIG. 11 is a block diagram showing the config- 
uration of a security policy draft preparation apparatus 
420 according to a fifth embodiment of the present in- 
vention. As illustrated, an indicator of rigorousness pre- 

35 scribed by the user is delivered to draft preparation 
means 428 in the security policy draft preparation appa- 
ratus 420. 

[0393] On the basis of the indicator of rigorousness 
prescribed by the user, the draft preparation means 428 

*o prepares a security policy draft. As mentioned above, a 
preparation operation is effected to use the knowledge- 
based information knowledge about a policy matching 
the prescribed indicator of rigorousness, and to extract 
from global guidelines a policy matching an indicator of 

45 rigorousness on the basis of the knowledge-based in- 
formation. Briefly, this operation corresponds to pre-ar- 
rangement of a rule concerning setting of a policy in con- 
nection with a certain indicator of rigorousness (in the 
knowledge-based information). 

50 [0394] Operation required for establishing a security 
policy according to the fifth embodiment is essentially 
identical with that described in connection with the flow- 
chart shown in FIG. 5, exclusive of the following two 
points: 

55 [0395J First, in step S5-1 the inquiry preparation 
means 422 prepares inquiries on the basis of the level 
of rigorousness prescribed by the user. "Level of rigor- 
ousness" has a smaller effect on inquiries than do other 
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parameters (i.e., a field of business) . Ingeneral, as the 
level of rigorousness is increased, prepared inquiries 
concern items of greater detail. Further, as the level of 
rigorousness is decreased, inquiries about detailed 
items are newly prepared. 

[0396] It is considered that the rigorousness of a se- 
curity policy is reset to a higher level after establishment 
of the security policy. In this case, a higher level of rig- 
orousness prescribed by the user is supplied also to in- 
quiry preparation means 422. Hence, the inquiry prep- 
aration means 422 prepares inquiries concerning items 
of greater detail. Consequently, there may arise a case 
where inquiries are provided to members (i.e., interro- 
gees) of an organization once again in part. 
[0397] If the level of rigorousness of a security policy 
is reset to a lower level, there is usually no chance of 
generating new inquiries. Consequently, in this case, a 
new security policy can be established immediately 
without implementation of inquiries. 
[0398] Second, in step S5-4 the indicator of rigorous- 
ness prescribed by the user is supplied to the draft prep- 
aration means 428, and the draft preparation means 428 
prepares a security policy draft on the basis of the indi- 
cator of rigorousness. 

[0399] The operation required for establishing a se- 
curity policy according to the fifth embodiment is essen- 
tially identical with that described in connection with the 
flowchart shown in FIG. 5, exclusive of the above-de- 
scribed two points. 

5-B Adjustment of security policy for which level of 
rigorousness has been designated 

[0400] In the fifth embodiment, adjustment of a secu- 
rity policy is automatically effected in step S1 -4 (FIG. 1). 
FIG. 12 is a block diagram showing the configuration of 
a security policy rigorousness adjustment apparatus 
500 for effecting adjustment of such a security policy. 
As illustrated, the security policy rigorousness adjust- 
ment apparatus 500 comprises rigorousness inspect ion 
means 502, rigorousness adjustment means 504, stor- 
age means 506, and merging means 508. 
[0401] The rigorousness inspection means 502 sup- 
plies a security policy draft produced by means of the 
operations up to step S1-3 (FIG. 1). On the basis of an 
indicator of rigorousness prescribed by the user, the rig- 
orousness inspection means 502 inspects so as to de- 
termine whether each of the rules in a security policy 
draft matches the rigorousness prescribed by the user. 
If the result of inspection shows that each of the rules 
matches the prescribed rigorousness, the rules are out- 
put in their present forms. If some of the rules fail to 
match the prescribed rigorousness, the rules are sup- 
plied to rigorousness adjustment means 504. On the ba- 
sis of the indicator of rigorousness prescribed by the us- 
er, the rigorousness adjustment means 504 rewrites the 
thus-supplied rules and outputs rewritten rules. Informa- 
tion pertaining to correlation between global guidelines, 



respective rules in the global guidelines, and an indica- 
tor of rigorousness is stored in the storage means 508. 
[0402] FIG. 1 3 shows a flowchart representing the op- 
eration of the security policy rigorousness adjustment 

5 apparatus 500. 

[0403] In step S1 3-1 , a security policy draft is supplied 
to the rigorousness inspection means 502. 
[0404] In step S13-2, the rigorousness inspection 
means 502 inspects so as to determine whether each 

10 of rules in the supplied security policy draft matches the 
indicator of rigorousness prescribed by the user. If the 
rules match the indicator of rigorousness, processing 
proceeds to step S1 4-3 to be described later. In contrast, 
if some of the rules fail to match the Indicator of rigor- 

is ousness, processing proceeds to step S14-4. 

[0405] In step S13-4, the rules which fall to match the 
indicator of rigorousness are changed so as to match 
the indicator, by means of the rigorousness adjustment 
means 504 and by utilization of information pertaining 

20 to correlation between the rules provided in the global 
guidelines and the indicator of rigorousness; which in- 
formation is stored in the storage means 506. The infor- 
mation pertains to an indicator of rigorousness corre- 
sponding to each of the rules provided In the global 

25 guidelines. Utilization of the information enables ascer- 
tainment of rules matching the indicator of rigorousness 
prescribed by the user. The thus-ascertained rules are 
extracted from the global guidelines stored in the stor- 
age means 506. Rules which fail to match the indicator 

30 of rigorousness are replaced with the thus-extracted 
rules. 

[0406] In step S1 3-3, the merging means 508 merges 
the rules that have from the beginning matched the in- 
dicator of rigorousness with the altered rules, and out- 

35 puts the thus-merged rules. 

[0407] Thus, each of the rules provided in the security 
policy draft can be matched with an indicator of rigor- 
ousness prescribed by the user. 
[0408] The rigorousness inspection means 502, the 

40 rigorousness adjustment means 504, and the merging 
means 508 according to the fifth embodiment are pref- 
erably implemented in the form of software which runs 
on a computer. Further, the storage means 506 is pref- 
erably embodied as a storage medium, such as a hard 

45 disk drive, CD-ROM, or DVD. 

Relationship between rule and indicator of rigorousness 

[0409] A more detailed explanation is given of a case 
50 where in step S13-2 no match has been determined to 
exist between the rigorousness of rules and the indicator 
of rigorousness prescribed by the user. 
[0410] If the rigorousness of the rules is of lower level 
than the rigorousness indicated by the indicator, the 
55 rules are determined to fail to match the indicator of rig- 
orousness. The rules are replaced with rules of higher 
rigorousness level. 

[0411] For example, if the rules are of an educational 
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institution level and the rigorousness prescribed by the 
user is of a financial level, the rules are replaced with 
rules of a financial level. Moreover, a period of validity 
of a password is shortened from 120 days to 30 days. 
Thus, rules are replaced with more rigorous rules. 
[0412] If rules are higher in level than the indicator of 
rigorousness, the rules are determined to fail to match 
the indicator of rigorousness. The rules are replaced 
with rules of lower rigorousness level. 
[041 3J If rules are at a highest level of rigorousness 
and the level of rigorousness prescribed by the user is 
at a general level, the rules are replaced with rules of 
general level of rigorousness. For example, in the case 
of rules of highest level of rigorousness, a period of va- 
lidity of a password is one week. If the level of the rules 
is too rigorous, the user prescribes a general level of 
rigorousness. As a result, the period of validity of a pass- 
word is extended to 1 00 days, and the rules are replaced 
with rules of lower level of rigorousness. 

sixth Embodiment (selection of range of establishments 

[0414] In the embodiments which have been de- 
scribed thus far, a security policy Is prepared for the en- 
tirety of an organization. However, it is considered that 
there are many desires to establish a security policy for 
only a portion of the system of the organization. 
[041 5] The user prescribes a range with in which a se- 
curity policy is to be established. If an apparatus and 
method for establishing a security policy are adopted on 
the basis of the range, the user can establish a security 
policy within only an area where establishment of a se- 
curity policy is desired, thus affording convenience to a 
user. 

[041 6] FIG. 14 is a block diagram showing the config- 
uration of a security policy draft preparation apparatus 
520. The thus-illustrated security policy draft prepara- 
tion apparatus 520 is identical in configuration with the 
security policy preparation apparatus 320 described by 
reference to FIG. 10 and with the security policy prepa- 
ration apparatus 420 described by reference to FIG. 11 . 
[0417] The two following points of difference are 
present. 

• A range of establishment of a security policy pre- 
scribed by the user is supplied to the draft prepara- 
tion means 528. 

A range of establishment of a security policy pre- 
scribed by the user is supplied to the inquiry prep- 
aration means 522. 

[0418] By means of such a configuration , the draft 
preparation means 528 establishes a security policy 
within a range prescribed bythe user, andhence the user 
canefficiently establish a security policy within a re- 
quired range. 

[0419] Further, the inquiry preparation means 522 
prepares only inquiries about the range prescribedby 



the user, andhence useless inquiries are obviated, thus 
enabling conduct of efficient inquiries. Here, provision 
of the range prescribed by the user to the inquiry prep- 
aration means 522 is not inevitable. The reason for this 

s is that the number of inquiries does not affect establish- 
ment of a security policy. If inquiries are irrelevant to the 
range prescribed by the user, an interviewer can skip 
the inquiries at the time of an interview. Consequently, 
supply of the range prescribed by the user to the inquiry 

io preparation means 522 is not indispensable. 

[0420] The user can specify the range of establish- 
ment of a security policy by means of various methods. 
[0421 ] (1 ) First, the user can specify the range of es- 
tablishment of a security policy on a product level. For 

is example, if the user desires to establish a security policy 
concerning only "VPN," the user can establish a security 
policy concerning VPN by means of prescribing "VPN." 
By means of prescribing specific hardware or software, 
such as a WEB, an E-mail, or a firewall, or specific func- 
20 tions thereof, the user can specify establishment of a 
security policy concerning specific hardware or soft- 
ware. 

[0422] Next, the user prescribes the range of estab- 
lishment of a security policy according to an object of 

25 use of the security policy. For example, the user desires 
to establish a security policy only an "outside subcon- 
tract," a security policy can be established with regard 
to an area which is turned over to an outside contractor. 
The user can specify establishment of a security policy 

30 within a range of object of use or purpose, by means of 
prescribing the object of use of or purpose of electronic 
trading (E commerce) or a data center. 
[0423] (3) Further, the user can specify the range of 
establishment of a security policy from the viewpoint of 

35 organizational structure. For example, if the user de- 
sires to establish a security policy in connection with on- 
ly the "home office," the user can establish a security 
policy pertaining to the home office, by means of pre- 
scribing the "home office." If the user prescribes branch 

40 offices, a security policy pertaining to branch offices can 
be established. Moreover, the user can establish a se- 
curity policy pertaining to a network or a security policy 
pertaining to a host by means of prescribing a network 
or a host. 

45 [0424] Operation required for establishing a security 
policy according to the seventh embodiment is essen- 
tially identical with that shown in FIG. 5, exclusive of the 
following points of differences. 
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• First, in step S5-4 shown in FIG. 5 a security policy 
draft is established on the basis of the range pre- 
scribed by the user. 

• Second, in step S5-1 shown in FIG. 5 inquiries per- 
taining to only the range prescribed by the user are 
prepared. 

[0425] The second point of difference is not inevitable. 
As has been described, even when inquiries fall outside 
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the range prescribed by the user, such inquiries do not 
directly pose a problem on establishment of a security 
policy. Further, it is also considered that an interviewer 
skips such inquiries, as required. Hence, there is no 
problem even when inquiries are identical with those de- 
scribed in connection with the first embodiment. 
[0426] The draft preparation means 528 shown in 
FIG. 14 establishes a security policy draft. To this end, 
knowledge-based information concerning ranges within 
which the rules provided in the global guidelines fall is 
established in the storage means 524. More specifically, 
in the storage means 524 are stored knowledge-based 
information concerning whether rules fall within the 
range of "home office" or the range of "branch offices." 
By reference to the knowledge-based information, the 
draft establishment means 528 establishes a security 
policy (draft) through use of only the rules falling within 
the range prescribed by the user. 
[0427] In this way, in the sixth embodiment, a security 
policy (draft) can be prepared within the range pre- 
scribed by the user. 

[0428] The sixth embodiment has described an exam- 
ple in which the inquiry preparation means 522 prepares 
Inquiries in accordance with job specifications of a mem- 
ber (or interviewee), as in the case of the first embodi- 
ment (FIG. 1 4). Here, the inquiry preparation means 522 
may be arranged so as to provide a member with gen- 
eral inquiries regardless of his job specifications. 

Seventh Embodiment (programs and a recording 
medium) 

[0429] Preferably, the means which have been de- 
scribed thus far are actually embodied as programs and 
a processor executing the program. 
[0430] FIG. 1 5 shows a computer 602 having a hard 
disk drive 600 having programs stored therein. 
[0431] Programs for performing operations of the in- 
quiry preparation means 12, the answer archival stor- 
age means 16, and the draft preparation means 18 de- 
scribed in connection with the first through seventh em- 
bodiments are stored in the hard disk drive 600. As a 
result of a processor of the computer 602 executing the 
programs, the computer 602 enables implementation of 
operations corresponding to the inquiry preparation 
means, the answer archival storage means, and the 
draft preparation means. 

[0432] Programs for effecting operation of the contra- 
diction inspection means 32, that of the contradiction 
output means 40, that of the matching means 41, that 
of the virtual information system establishment means 
34, that of the difference output means 38, and that of 
the real system input means 36, all the means being 
shown in FIG. 7, are stored in the hard disk drive 600. 
By means of the processor of the computer 602 execut- 
ing these programs, the computer 602 can effect oper- 
ation of the contradiction inspection means 32 and op- 
erations of the other means. 



[0433] Preferably, the storage means 1 4 described in 
connection with the embodiments is provided in the hard 
disk drive 600. 

[0434] An operator of the computer 602 launches the 
5 foregoing programs, thereby generating inquiries and 
entering, by way of a keyboard 604, answers to the in- 
quiries from members of an organization. As a matter of 
course, answers may be entered by use of an input de- 
vice such as a mouse. 
io [0435] FIG. 15 shows an example inwhichprograms 
run on the computer 602 of so-called standalone type. 
However, programs may be supplied over a network. 
[0436] For example, there is preferably adopted an ar- 
rangement in which a client computer executes or down- 
's loads the foregoing programs stored in a server each 
time execution of the programs is required. 

Security Policy Draft 

20 [0437] Thefirstthrough eighth embodiments have pri- 
marily described preparation of a security policy draft. 
Needless to say, the security policy draft preparation ap- 
paratus can be used for establishing a security policy 
which Is not a draft. In other words, the security policy 

25 draft preparation apparatus doubles as a security policy 
establishment apparatus, and the method of preparing 
a security policy draft doubles as a method of establish- 
ing a security policy. The draft preparation means dou- 
bles as a security policy establishment means. 

30 [0438] As has been described above, according to the 
present invention, inquiries are submitted to members 
of an organization, and a security policy is established 
on the basis of the resultant answers. Accordingly, a se- 
curity policy can be established easily. 

35 [0439] Further, a security policy is established step- 
wise, and hence flexible establishment of a security pol- 
icy can be implemented while taking into consideration 
the organization's desires (e.g., a budget or the like). 
[0440] According to the present invention, the state of 

40 information security of an organization is determined, so 
that the organization can become aware of the impor- 
tance of information security. 

[0441] Since security measures can be provided to- 
gether with the priority thereof, planning of measures for 
45 future information security becomes easy. Moreover, 
the organization can discuss a budget on the basis of 
the plan. 

[0442] According to the present invention, a security 
policy can be established in consideration of li ne of busi- 
50 ness. 

[0443] According to the present invention, the user 
can specify global guidelines to be used for establishing 
a security policy. 

[0444] According to the present invention, a security 
55 policy is established through use of recommendations 
and regulations aimed at a specific line of business other 
than global guidelines. Hence, an elaborate security pol- 
icy more preferably matching line of business can be 
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established. 

[0445] According to the present invention, the user 
can specify the level of rigorousness of security policy 
through use of an indicator of rigorousness. Further, ac- 
cording to the present invention, the level of rigorous- 
ness of a security policy can be adjusted through use of 
an Indicator of rigorousness. 

[0446] According to the present Invention, the range 
of establishment of a security policy can be explicitly 
prescribed by the user. As a result, establishment of a 
security policy for a portion of an organization can be 
effected. 

[0447] There are provided a method of efficiently es- 
tablishing a security policy and an apparatus for sup- 
porting preparation of a security policy. According to a 
method of establishing a security policy In six steps, a 
simple security policy draft is first prepared. The security 
policy draft is adjusted so as to match realities of an or- 
ganization, as required, thus completing a security pol- 
icy stepwise. Therefore, a security policy can be estab- 
lished in consideration of a schedule or budget of the 
organization. 



Claims 

1 . A security policy rigorousness adjustment method 
for adjusting the level of rigorousness of a security 
policy, comprising: 

a rigorousness adjustment step of replacing the 
rules which have been determined not to match 
the indicator of rigorousness prescribed by a 
user with rules matching the indicator; and 
a merge and output step of merging the rules 
matching the indicator of rigorousness from the 
beginning with the rules that in the rigorousness 
adjustment step have replaced the rules not 
matching the indicator and of outputting the 
merged rules. 

2. A security policy rigorousness adjustment appara- 
tus for adjusting the level of rigorousness of a se- 
curity policy, comprising: 

rigorousness adjustment means for replacing 
the rules which have been determined not to 
match the indicator of rigorousness prescribed 
by a user with rules matching the indicator; and 
merge and output means for merging the rules 
matching the indicator of rigorousness from the 
beginning with the rules which In the rigorous- 
ness adjustment means have replaced the 
rules not matching the indicator and for output- 
ting the merged rules. 

5. A method of establishing a security policy of a pre- 
determined organization, comprising: 
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an inquiry preparation step of generating inquir- 
ies which pertain to items required for estab- 
lishing a security policy of the organization and 
are to be submitted to members of the organi- 
zation; 

an inquiry step of submitting the generated in- 
quiries to the members; 

an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
an establishment step of establishing a security 
policy draft on the basis of the answers, where- 
in, in the establishment step, a security policy 
within a range of establishment prescribed by 
the user is established. 

The method of establishing a security policy accord- 
ing to claim 3, wherein, in the inquiry preparation 
step, inquiries pertaining to the range of establish- 
ment prescribed by the user are generated. 

A security policy establishment apparatus for estab- 
lishing a security policy of a predetermined organi- 
zation, comprising: 

inquiry preparation means for generating in- 
quiries which pertain to items required for es- 
tablishing a security policy of the organization 
and are to be submitted to members of the or- 
ganization; 

storage means for storing answers to the gen- 
erated inquiries; 

answer archival storage means for acquiring 
answers to the generated inquiries and storing 
the answers into the storage means; and 
establishment means for establishing a securi- 
ty policy within the range of establishment pre- 
scribed by the user. 

The security policy establishment apparatus ac- 
cording to claim 5, wherein the inquiry preparation 
means generates inquiries pertaining to the range 
of establishment prescribed by the user. 

A method of establishing a security policy for a pre- 
determined organization, the method comprising: 

a draft preparation step of preparing a security 
policy draft; 

an analysis step of examining a difference be- 
tween the security policy draft and realities of 
the organization; and 

an adjustment step of adjusting the security pol- 
icy draft on the basis of the difference or adjust- 
ing operation rules of an actual information sys- 
tem belonging to the organization on the basis 
of the difference. 



8. The method of establishing a security policy accord- 
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ing to claim 7, wherein the draft preparation step 
comprises: 

a preparation step of preparing inquiries to be 
submitted to members of an organization; 
an inquiry step of submitting the prepared in- 
quiries to the members; 
an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
a drafting step of preparing a security policy 
draft on the basis of the answers. 

9. The method of establishing a security policy accord- 
ing to claim 8, wherein the preparation step involves 
preparation of inquiries on the basis of job specifi- 
cations of members to be inquired. 

10. The method of establishing a security policy accord- 
ing to claim 8, wherein the answer acquisition step 
includes at least one of the steps of: 

integrating the answers acquired from a single 
memberfrom among the acquired answers and 
storing the Integrated answers Into storage 
means as answers of a single member to be 
inquired; 

re-submitting inquiries to members if contradic- 
tory answers are included in the answers, to 
thereby resolve contradiction, and storing the 
answers into the storage means; and 
assigning weights to answers according to job 
specifications of the members to be inquired if 
contradictory answers are included in the an- 
swers, to thereby estimate answers and show 
the estimated answers. 

11. The method of est ablishing a security policy ac- 
cording to claim 8, wherein the analysis step com- 
prises at least one of: 

a contradiction inspection step of inspecting 
whether or not contradictory answers are in- 
cluded in the answers; 

a first difference detection step of inspecting a 
difference between an information system vir- 
tually designed on the basis of the answers and 
the security policy, by means of comparison; 
and 

a second difference detection step of verifying 
the virtually-designed information system by 
means of examination of a real information sys- 
tem and inspecting a difference between the 
verified information system and the security 
policy draft by means of comparison. 

12. The method of establishing a security policy accord- 
ing to claim 11, further comprising a measurement 
step of devising measures addressing the inspect- 



ed difference in conjunction with the priority of the 
measures. 

1 3. The method of establishing a security policy accord- 
5 ing to claim 7, further comprising a diagnosis step 

of diagnosing the security state of the organization, 
wherein a result of diagnosis performed in the diag- 
nosis step is submitted to the organization, where- 
with the organization can become conscious of a 
10 necessity for a security policy. 

1 4. The method of establishing a security policy accord- 
ing to claim 12, further comprising: 

a priority planning step of planning, in se- 
15 quenco of priority, implementation of the security 
measures which have been devised with priority, 
thereby embodying a budget of the organization. 

1 5. The method of establishing a security policy accord- 
20 ing to claim 1 4, wherein the security measures com- 
prise 

constructing a system for managing the es- 
tablishing a security policy: 

25 introduction of a security system; 

training for compelling employees to respect a 

security policy; 

analysis of system logs; 

monitoring of a network; 
30 auditing operations on the basis of the security 

policy; and 

reviewing the security policy. 

1 6. The method of establishing a security policy accord- 
35 ing to claim 14, further comprising: 

a security enhancement measures imple- 
mentation step of implementing the security meas- 
ures in accordance with the plan. 

40 1 7. A method of establishing a security policy compris- 
ing: 

a preparation step of preparing inquiries to be 
submitted to members of an organization; 

<5 an inquiry step of submitting the prepared in- 

quiries to the members; 
an answer acquisition step of acquiring from the 
members answers to the inquiries; and 
an establishment step of establishing a security 

50 policy on the basis of the answers. 

1 8. The method of establishing a security policy accord- 
ing to claim 17, wherein the preparation step in- 
volves preparation of inquiries on the basis of job 

55 specifications of members to be inquired. 

1 9. The method of establishing a security policy accord- 
ing to claim 1 7, wherein the answer acquisition step 
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includes at least one of the steps of: 

integrating the answers acquired from a single 
memberfrom among the acquired answers and 
storing the integrated answers into storage 5 
means as answers of a single member to be 
inquired; 

re-submitting Inquiries to members If contradic- 
tory answers are included in the answers, to 
thereby resolve contradictions and storing the 10 
answers Into the storage means; and 
assigning weights to answers according to job 
specifications of the members to be inquired if 
contradictory answers are included in the an- 
swers, to thereby estimate answers and display is 
the estimated answers. 

20. The method of establishing a security policy accord- 
ing to claim 1 7, wherein the establishment step in- 
volves establishment of three levels of security pol- 20 
icies: namely, 

an executive-level security policy which de- 
scribes the organization's concept and policy 
concerning information security, in conformity 25 
with global guidelines; 

a corporate-level security policy which de- 
scribes an information security system embod- 
ying the executive-level security policy; and 
a product-level security policy which describes 30 
measures to implement the executive-level se- 
curity policy with reference to the corporate-lev- 
el security policy. 

21 . The method of establishing a security policy accord- 35 
ing to claim 20, wherein the corporate-level security 
policy describes standards for the information se- 
curity system of the overall organization; and stand- 
ards for individual equipments constituting the in- 
formation security system of the organization. 40 

22. The method of establishing a security policy accord- 
ing to claim 20, wherein the product-level security 
policy includes two types of product-level policies; 
namely, 45 

a first-level security policy describing settings 
of individual equipment constituting the infor- 
mation security system in natural language; 
and so 
a second-level security policy describing set- 
tings of individual equipment constituting the in- 
formation security system in specific language 
used In specific equipments. 



icy draft and realities of the organization; 

the analysis step further comprising at least 
one of 

a contradiction inspection step of inspecting 
whether or not contradictory answers are in- 
cluded in the answers; 

a first difference detection step of inspecting a 
difference between the security policy and an 
information system virtually designed on the 
basis of the answers, by means of comparison; 
and 

a second difference detection step of verifying 
the virtually-designed information system by 
means of examination of a real information sys- 
tem and Inspecting a difference between the 
verified information system and the security 
policy draft, by means of comparison. 

24. The method of establishing a security policy accord- 
ing to claim 23, further comprising a measurement 
step of devising measures to the inspected differ- 
ence, in conjunction with the priority of the meas- 
ures. 

25. An apparatus of establishing a security policy com- 
prising: 

inquiry preparation means for preparing inquir- 
ies to be submitted to members of an organiza- 
tion; 

storage means for storing answers to the Inquir- 
ies; 

answer archival storage means for acquiring 
from the members the answers to the inquiries 
and storing the answers into the storage 
means; and 

establishment means for establishing a securi- 
ty policy on the basis of the answers stored in 
the storage means. 

26. The apparatus for establishing a security policy ac- 
cording to claim 25, wherein the inquiry preparation 
means prepares inquiries to be submitted to the 
members to be inquired, on the basis of job speci- 
fications of the members to be inquired. 

27. The apparatus for establishing a security policy ac- 
cording to claim 25, wherein the answer archival 
storage means 

integrates the answers acquired from a single 
memberfrom among the acquired answers and 
stores the integrated answers into the storage 
means as answers of a single member to be 
inquired; or 

re-submits inquiries to members if contradicto- 
ry answers are included in the answers, to 



23. The method of establishing a security policy accord- 
ing to claim 1 7, further comprising an analysis step 
of examining a difference between the security pol- 
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thereby resolve contradiction, and stores the 
answers into the storage means; or 
assigns weights to answers according to job 
specifications of the members to be inquired if 
contradictory answers are included in the an- 5 
swers, to thereby estimate answers and display 
the estimated answers. 

28. The apparatus for establishing a security policy ac- 
cording to claim 25, wherein the establishment 10 
means establishes three levels of security policies: 
namery, 

an executive-level security policy which de- 
scribes the organization's concept and policy 
concerning information security, In conformity 
with global guidelines; 

a corporate- level security policy which de- 
scribes an Information security system embod- 
ying the executive-level security policy; and 20 
a product-level security policy which describes 
measures to implement the executive-level se- 
curity policy with reference to the corporate-lev- 
el security policy. 

25 

29. The apparatus for establishing a security policy ac- 
cording to claim 28, wherein the corporate- level se- 
curity policy describes standards forthe information 
security system of the overall organization; and 
standards for individual equipments constituting the 30 
information security system of the organization. 

30. The apparatus for establishing a security policy ac- 
cording to claim 28, wherein the product-level se- 
curity policy includes two types of product-level pol- 35 
icies; namely, 

a first-level security policy describing settings 
of individual equipments constituting the infor- 
mation security system in natural language; *o 
and 

a second-level security policy describing set- 
tings of individual equipments constituting the 
information security system in specific lan- 
guage used in specific equipments. 45 

31. A method of assessing the state of security of an 
organization, the method comprising: 

an inquiry preparation step of preparing inquir- so 
ies to be submitted to members of an organiza- 
tion: 

an inquiry step of submitting the prepared in- 
quiries to the members; 

an answer acquisition step of acquiring from the ss 
members answers to the inquiries; and 
a security state assessment step of assessing 
the state of security on the basis of the an- 
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swers. 

32. The method of assessing the state of security of an 
organization according to claim 31 , wherein the in- 
quiry preparation step involves preparation of in- 
quiries on the basis of job specifications of mem- 
bers to be inquired. 

33. The method of assessing the state of security of an 
organization according to claim 31 , wherein the an- 
swer acquisition step involves integration of previ- 
ous answers and acquired answers in a case where 
the answers are provided by an member to be in- 
quired who has provided answers before, and in- 
volves storage of the integrated answers into stor- 
age means as answers from a single member to be 
inquired. 

34. The method of assessing the state of security of an 
organization according to claim 31 , wherein the as- 
sessment of a security state includes 

assessment of security of the organization; 
average assessment of security of the other or- 
ganizations included in an industry to which the 
organization pertains; and 
the highest security assessment which is con- 
sidered to be attainable by organizations in the 
industry to which the organization pertains. 

35. The method of assessing the state of security of an 
organization according to claim 31 , wherein the as- 
sessment of a security state includes scores as- 
signed to the following items; namely, 

understanding and attitude concerning securi- 
ty; 

a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 

36. An apparatus of assessing the state of security of 
an organization, the apparatus comprising: 

preparation means of preparing inquiries to be 
submitted to members of the organization; 
storage means for storing answers to the inquir- 
ies; 

answer archival storage means of acquiring 
from the members the answers to the inquiries 
and storing the answers into the storage 
means; and 

security maturity preparation means for prepar- 
ing a security maturity report representing the 
degree of maturity of security, on the basis of 
the answers stored in the storage means. 
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37. The apparatus for assessing the state of security of 
an organization according to claim 36, wherein the 
answer archival storage means integrates previous 
answers and acquired answers in a case where the 
answers are provided by a member to be inquired s 
who has provided answers before, and stores the 
integrated answers into the storage means as an- 
swers from a single member to be Inquired. 

38. The apparatus for assessing the state of security of io 
an organization according to claim 36, wherein the 
security maturity report includes 

the degree of maturity of the organizations se- 
curity; /5 
the average degree of maturity of security of 
other organizations included in an industry to 
which the organization pertains; and 
the highest degree of maturity of security which 
is considered to be attainable by organizations 20 
in the industry to which the organization per- 
tains. 



difference output means for outputting a differ- 
ence between the configuration of the virtually- 
established information system and a security 
policy, by means of comparison. 

42. The analyzer for analyzing a difference between a 
security policy and an information system of an or- 
ganization according to claim 41, further compris- 
ing: 

real system input means for examining the in- 
formation system of the organization and enter- 
ing the configuration of the information system; 
and 

difference output means which verifies the vir- 
tually-established Information system by refer- 
ence to the configuration of the information sys- 
tem and outputs a difference between a secu- 
rity policy and the configuration of the virtually- 
established information system which has been 
verified, by means of comparison. 



39. The apparatus for assessing the state of security of 
an organization according to claim 36, wherein the 
security maturity report includes scores assigned to 
the following items; namely, 

understanding and attitude concerning securi- 
ty; 

a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 

40. An analyzer for analyzing a difference between a 
security policy and an information system of an or- 
ganization, comprising 

contradiction inspection means for inspecting 
whether or not contradiction exists between in- 
dividual answers in response to inquiries sub- 
mitted to members of the organization; and 
contradiction output means for outputting infor- 
mation about the inspected contradiction. 

41 . The analyzer for analyzing a difference between a 
security policy and an information system of an or- 
ganization according to claim 40, further compris- 
ing: 

indicating means for indicating the contradic- 
tion on the basis of the information about con- 
tradiction; 

establishment means for virtually establishing 
an information system for the organization on 
the basis of the answers free of contradiction; 
and 



43. The method of establishing a security policy accord- 
ing to claim 8, wherein, In the Inquiry preparation 

25 step, the inquiries are generated in accordance with 
the line of business of the organization. 

44. The method of establishing a security policy accord- 
ing to claim 17, wherein, in the inquiry preparation 

30 step, the inquiries are generated in accordance with 
the line of business of the organization. 

45. The security policy establishment apparatus ac- 
cording to claim 25, wherein the inquiry preparation 

35 means generates inquiries to be submitted to an in- 
terviewee in accordance with the line of business of 
the organization. 

46. The method of establishing a security policy accord- 
*o jng to claim 8, wherein, in the drafting step, a secu- 
rity policy is established on the basis of recommen- 
dations or regulations aimed at a specific line of 
business. 

* 5 47. The method of establishing a security policy accord- 
ing to claim 17, wherein, in the establishment step, 
a security policy is established on the basis of rec- 
ommendations or regulations aimed at a specific 
line of business. 

so 

48. The security policy establishment apparatus ac- 
cording to claim 25, wherein the establishment 
means establishes a security policy on the basis of 
items of recommendations or regulations aimed at 

55 a specific line of business. 

49. The method of establishing a security policy accord- 
ing to claim 8, wherein, in the drafting step, a secu- 
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rity policy is established on the basis of items of glo- 
bal guidelines of one or a plurality of types pre- 
scribed by a user. 

50. The method of establishing a security policy accord- 
ing to claim 49, wherein, in the inquiry preparation 
step, inquiries are generated on the basis of items 
of global guidelines of one or a plurality of types pre- 
scribed by a user. 

51 . The method of establishing a security policy accord- 
ing to claim 1 7, wherein, in the establishment step, 
a security policy is established on the basis of items 
of global guidelines of one or a plurality of types pre- 
scribed by a user. 

52. The method of establishing a security policy accord- 
ing to claim 51 , wherein, in the inquiry preparation 
step, inquiries are generated on the basis of items 
of global guidelines of one or a plurality of types pre- 
scribed by a user. 

53. The security policy establishment apparatus ac- 
cording to claim 25, wherein the establishment 
means establishes a security policy on the basis of 
items of global guidelines of one or a plurality of 
types prescribed by a user. 

54. The security policy establishment apparatus ac- 
cording to claim 53, wherein the inquiry preparation 
means generates inquiries to be submitted to inter- 
viewees, on the basis of items of global guidelines 
of one or a plurality of types prescribed by a user 

55. The method of establishing a security policy accord- 
ing to claim 8, wherein, in the establishment step, a 
security policy is established on the basis of an in- 
dicator of rigorousness of security policy prescribed 
by the user. 

56. The method of establishing a security policy accord- 
ing to claim 55, wherein, in the inquiry preparation 
step, the inquiries are generated on the basis of an 
indicator of rigorousness of security policy pre- 
scribed by the user. 

57. The method of establishing a security policy accord- 
ing to claim 17, wherein, in the establishment step, 
a security policy is established on the basis of an 
indicator of rigorousness of security policy pre- 
scribed by the user. 

58. The method of establishing a security policy accord- 
ing to claim 57, wherein, in the inquiry preparation 
step, the inquiries are generated on the basis of an 
indicator of rigorousness of security policy pre- 
scribed by the user. 



59. The security policy establishment apparatus ac- 
cording to claim 25, wherein the establishment 
means establishes a security policy on the basis of 
an indicator of rigorousness of security policy pre- 

5 scribed by the user. 

60. The security policy establishment apparatus ac- 
cording to claim 59, wherein the Inquiry preparation 
means generates inquiries, on the basis of an indi- 
go cator of rigorousness of security policy prescribed 

by the user. 

61. A computer-readable recording medium having re- 
corded thereon a program for causing a computer 

is to perform: 

inquiry preparation procedures for generating 
inquiries which pertain to items required for es- 
tablishing a security policy of the organization 
20 and are to be submitted to members of the or- 

ganization; 

answer archival procedures for entering an- 
swers to the generated inquiries and storing the 
answers into storage means; and 
25 establishment procedures for establishing a se- 

curity policy on the basis of the answers stored 
in the storage means. 

62. The recording medium according to claim 61, 
30 wherein, in the inquiry preparation procedures, in- 
quiries to be submitted to interviewees are gener- 
ated on the basis of job specifications of the inter- 
viewees. 

35 63. The recording medium according to claim 61, 
wherein, in the answer archival procedures, the an- 
swers acquired from a single member from among 
the acquired answers are integrated, and the inte- 
grated answers are stored into the storage means 
40 as answers of a single member to be inquired; or 
weights are assigned to answers according to 
job specifications of the members to be inquired if 
contradictory answers are included in the answers, 
to thereby estimate final answers and display the 
45 estimated final answers. 

64. The recording medium according to claim 61, 
wherein, in the inquiry preparation procedures, in- 
quiries to be submitted to the interviewees are gen- 

so erated on the basis of the line of business of the 
organization. 

65. The recording medium according to claim 61, 
wherein, in the establishment procedures, a secu- 

55 rity policy is established on the basis of items of glo- 
bal guidelines of one or a plurality of types pre- 
scribed by a user. 
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66. The recording medium according to claim 61, 
wherein, in the inquiry preparation procedures, the 
inquiries are generated on the basis of an indicator 
of rigorousness of security policy prescribed by the 
user. 

67. The recording medium according to claim 61, 
wherein, In the establishment procedures, a secu- 
rity policy within a range of establishment pre- 
scribed by the user is established. 

68. A computer-readable recording medium having re- 
corded thereon a program for causing a computer 
to perform: 

Inquiry preparation procedures for outputting 
inquiries which pertain to items required for 
evaluating the degree of maturity of security of 
a predetermined organization and are to be 
submitted to members of the organization; 
answer archival procedures for entering an- 
swers to the outputted inquiries and storing the 
answers into storage means; and 
security maturity preparation procedures for 
preparing a security maturity report represent- 
ing the degree of maturity of secu rity, on the ba- 
sis of the answers stored in the storage means. 

69. The recording medium according to claim 68, 
wherein the inquiry preparation means generates 
inquiries to be submitted to interviewees, on the ba- 
sis of job specifications of the interviewees. 

70. A computer-readable recording medium having re- 
corded thereon a program for causing a computer 
to perform: 

contradiction inspection procedures for in- 
specting whether or not contradiction exists be- 
tween individual answers submitted in re- 
sponse to inquiries which pertain to items re- 
quired for ascertaining a difference between a 
security policy of the predetermined organiza- 
tion and an information system of the organiza- 
tion and which have been submitted to mem- 
bers of a predetermined organization; and 
contradiction output procedures for outputting 
information about the inspected contradiction. 

71. The recording medium according to claim 70, fur- 
ther comprising: 

indicating procedures for indicating the contra- 
dictions on the basis of the information about 
contradiction; 

establishment procedures for virtually estab- 
lishing the configuration of an information sys- 
tem of the organization, on the basis of the an- 



swers free of contradictions; and 
difference output procedures for outputting a 
difference between the configuration of the vir- 
tually-established information system and the 
5 security policy, obtained by means of compari- 

son. 

72. A computer-readable recording medium having re- 
corded thereon a program for causing a computer 
to to perform: 



rigorousness adjustment procedures for re- 
placing the rules which have been determined 
not to match the indicator of rigorousness pre- 
scribed by a user with rules matching the indi- 
cator of rigorousness; and 
merge and output procedures for merging the 
rules matching the indicator of rigorousness 
from the beginning with the rules which in the 
rigorousness adjustment procedure have re- 
placed the rules not matching the indicator and 
for outputting the merged rules. 
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35 



program for causing a computer to perform: 

inquiry preparation procedures for generating 
inquiries which pertain to items required for es- 
tablishing a security policy of a predetermined 
organization and are to be submitted to mem- 
bers of the organization; 
answer archival procedures for entering an- 
swers to the generated Inquiries and storing the 
answers into storage means; and 
establishment procedures for establishing a se- 
curity policy on the basis of the answers stored 
in the storage means. 



74. The program according to claim 73, wherein, in the 
inquiry preparation procedures, inquiries to besub- 
40 mitted to interviewees are generated on the basis 
of job specifications of the interviewees. 



75. The program according to claim 73, wherein, in the 
answer archival procedures, the answers acquired 
from a single member from among the acquired an- 
swers are integrated, and the integrated answers 
are stored into the storage means as answers of a 
single member to be inquired; or 

weights are assigned to answers according to 
job specifications of the members to be inquired if 
contradictory answers are included in the answers, 
to thereby estimate final answers and display the 
estimated final answers. 
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76. The program according to claim 73, wherein, in the 
inquiry preparation procedures, inquiries to be sub- 
mitted to the interviewees are generated on the ba- 
sis of the line of business of the organization. 
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77. The program according to claim 73, wherein, in the 
establishment procedures, a security policy is es- 
tablished on the basis of items of global guidelines 
of one or a plurality of types prescribed by a user. 

78. The recording medium according to claim 73, 
wherein, in the inquiry preparation procedures, the 
inquiries are generated on the basis of an indicator 
of rigorousness of security policy prescribed by the 



user. 



79. 



The recording medium according to claim 73, 
wherein, in the establishment procedures, a secu- 
rity policy within a range of establishment pre- 
scribed by the user is established. 

80. A program for causing a computer to perform: 

inquiry preparation procedures for outputting 
inquiries which pertain to items required for 
evaluating the degree of maturity of security of 
a predetermined organization and are to be 
submitted to members of the organization; 
answer archival procedures for entering an- 
swers to the outputted inquiries and storing the 
answers into storage means; and 
security maturity preparation procedures for 
preparing a security maturity report represent- 
ing the degree of maturity of security, on the ba- 
sis of the answers stored in the storage means. 
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difference between the configuration of the vir- 
tually-established information system and the 
security policy, obtained by means of compari- 
son. 

83. A program for causing a computer to perform: 

level-of-rigorousness inspection procedures 
for inspecting whether or not individual rules of 
the security policy match an indicator of rigor- 
ousness prescribed by a user; 
rigorousness adjustment procedures for re- 
placing the rules which have been determined 
not to match the indicator in the level-of-rigor- 
ousness Inspection procedure with rules 
matching the indicator of rigorousness; and 
merge and output procedures for merging the 
rules matching the indicator of rigorousness 
from the beginning with the rules which in the 
rigorousness adjustment procedure have re- 
placed the rules not matching the indicator and 
for outputting the merged rules. 
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81. A program for causing a computer to perform: 

contradiction inspection procedures for in- 
specting whether or not contradiction exits be- 35 
tween individual answers in response to inquir- 
ies which pertain to items required for ascer- 
taining a difference between a security policy 
of the predetermined organization and an infor- 
mation system of the organization and which 40 
have been submitted to members of a prede- 
termined organization; and 
contradiction output procedures for outputting 
information about the inspected contradiction. 

45 

82. The program according to claim 81 , further compris- 
ing: 

matching procedures for matching the answers 
on the basis of the information about contradic- so 
tion, thus producing answers free of contradic- 
tion; 

establishment procedures for virtually estab- 
lishing the configuration of an information sys- 
tem of the organization, on the basis of the an- ss 
swers produced by the matching procedure; 
and 

difference output procedures for outputting a 
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